Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
> along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email"
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
Oh man we had a person leave unexpectedly who controls our Apple organization for our dev accounts. I'm several months into me making requests, getting responses at least a week later for each email where the responder ... didn't really read my message. Then they ask for documents ... but they forgot to send me the secure link ... another week+ for them to do what they said they were going to do. Now one of my documents didn't include a sentence they needed ...
One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
Scammers can definitely get through it faster than you can. Whenever you attempt to address abuse in a system by increasing the complexity of that system, you implicitly bias it towards those with the time and inclination to study it, which always includes those with intent to abuse it, and generally does not include your users.
> Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Google made it very clear years ago that they shouldn't be trusted with anything irreplaceable/that would cause major problems if you lost access.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".)
If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.
Why is 2FA so critical it’s worth proactively breaking the user? What’s the even more bad thing that would (not could) happen to the user if 2FA was not enabled?
nonsense. any feature should have acceptable failure modes. blaming the customer for a fault they have no control over is not acceptable. many people know nothing about 2FA. it is not their responsibility. 2FA is a symptom of shitty designed systems which are inherently insecure and companies who dont give a shit about that and let their customers shoulder the burden by shoving complexity down their throats.
if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.
you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.
most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.
Not force nonconsensual authentication methods onto users.
Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.
As for the banks I doubt it decreases security. Even SMS 2FA actually reduces fraud by 90%+ percent.
Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.
But even then having 2FA is 42 times better than not having it.
They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.
I have an "OG" mac.com account (got it about five minutes after Steve announced it). My wife actually has her first name.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
I’m a different person, but this happens to me, too. I have the kstrauser@yahoo.com email address because I signed up for it like 25 years ago. I log in every 6 months to see what the few other kstrausers in the world have signed me up for.
Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.
I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.
I have a catch-all on a .com.au domain where there exists a later 1000+ people organisation with the equivalent .gov.au. I get what you described but from many, many people - divorce proceedings, legal discussions, financial documents, health things, etc.
Yeah I have josephg@gmail. The amount of spam that account gets is wild - about 50-100 emails hit the inbox per day. I got soft-locked out of google docs a few months ago because my google account's 25gb quota was exhausted.
Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.
Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.
Send emails into that pit of PII misery if you want. I don't read them.
I had one that person seemed to think their @twitter name was the same thing as my gmail address. Haven't seen it in a while, maybe they figured it out after I told their kid's teacher they had the wrong person...
That may be what they're hoping for, using a similar modus operandi as those WhatsApp/IM messages from strangers who text you with things in the vein of ‘Hey, it was great meeting you at the conference’ or ‘Did Martha like your flowers?’ etc.
There are times where you just can't... someone uses my email address in person at tractor supply co. and I'm getting a ton of marketing email I can't usnsub to.
I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."
It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.
I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.
Right. Techies are always quick to suggest I do something naughty or funny with this "great power" I've unwittingly gained, but in reality it's just a liability. If I ignore it and they do something nasty and implicate me, it's a pain. If I touch it with a 10 ft pole, now I'm even more actively involved.
Just include "not me!" In the verification email, dam it
I think you’re misreading this. OP has an email account. Someone else signed up for some website that doesn’t verify that you own the address before allowing you to log in and use the service. If the site did verify it, the user wouldn’t have been able to log in because OP would have been getting the verification emails, and not the user.
Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.
I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.
One thing I've found, occasionally the hard way, is that helpful bystanders are always offering advice based on "ethical", "intuitive", "logical" and "common sense", usually without any aspect of "legal".
I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.
Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.
I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).
While true, I think that's implicit in all online conversations. I'm certain my thinking is 100% wrong in some jurisdictions elsewhere. Anything I say is wrong somewhere.
"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."
Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.
But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.
Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.
IANYL, though! Offering legal advice with the disclaimer “I am not a lawyer” could be prosecuted as practicing law if a reasonably party could still infer a potential lawyer-client relationship from your message and/or intent. Instead, “I am not your lawyer” explicitly denies the lawyer-client relationship, which closes the door on both being accused of practicing law illegally and on being found as party to a lawyer-client relationship whether or not you have the appropriate certifications.
> closes the door on [...] being accused of practicing law illegally
Does it? So I can say, "I'm not your lawyer, but I'm happy to go ahead and give you specific legal advice on your case." and I can't be accused of illegally practicing law? I was under the impression that this could still get you into hot water. But not being your lawyer, due to the fact that I am not a lawyer at all, I don't know if it is true or not.
As with all things, who are you going to get in trouble with? And what's so magical about legal practice as opposed to, say, giving shitty medical advice or telling someone how to build porch? Asking genuinely. No one falls all over themselves to say "I am not a doctor, but...", even though their next words could kill someone. The implication is that they don't have formal training but they saw something on Facebook that you should try. What happens next is on you, not on them.
> No on falls all over themselves to say “I am not a doctor, but”
This is precisely why I’m pointing this out: IANAL is a very curious case of people self-labeling their statements as “not trustworthy for the topic”. I can think of perhaps no other cases where it is so popular to claim to not be a professional in the relevant field, which suggests that IANAL is a ‘badge of honor’ rather than a proper legal disclaimer. Certainly few (if any) claim IANAD before writing about their experiences with medical issues, body things, or nutritional supplements here, even though those topics are (as you correctly indicate) potentially lethal.
Thus, IANYL: if your goal is to ensure that the recipient of your advice / opinion / whatever does not have grounds to claim that you provided legal advice, and therefore are their lawyer, then you can either do so weakly with TINLA (“this is not legal advice”), which still leaves the door open for awkward claims by some desperate grifter-rando to reach a bench, or you can do so strongly with IANYL (“I am not your lawyer”), which closes that vulnerability in full.
Not once in years of using IANYL have I seen anyone else properly protect themselves from this vulnerability; meanwhile, “IANAL but” remains in use as a badge of honor. So, yeah, I don’t think anyone considers the particular avenue of vulnerability a serious threat, and yeah, the general context of IANAL here is prideful rather than protective. But after twenty years of dealing with a stalker who was adept at internet and tried to fuck with my job at one point, I do now tend to value closing off legal vulnerabilities with certainty, and as a bonus it doesn’t imply insult to the professions of law.
I think it’s more like you registered the car in their name. Now they’re allowed to use it, and also responsible for the thing which they didn’t want.
Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.
On the other hand, in Hong Kong it would be straight to jail. Someone was sent a link by the airlines, he changed a couple of characters and it ended up showing another person’s data. The guy voluntarily reported the vulnerability and all he got was a criminal charge and found guilty
This happens to me several times a month. I'm more concerned about account termination, in that if their Gmail account is terminated for some reason, mine would be as well due to it being the backup email address.
A couple of years ago someone associated my email with their bank account in Santander UK. I tried to get in touch with Santander but turned out that the only way to do so is to either make an international call (I don't live in UK) or send them a paper letter. I gave up and just routed these emails to separate folder.
I meticulously report every single of emails like this as spam. Every single one. If it _could_ be read as a phishing attempt, I report them as phishing.
It's entirely on us as citizens to leaving them as pet peeves instead of crafting them into strategic law that makes them not only illegal but shunned. A little bit of structure goes a long way here.
I'm currently in the endless email loop because someone named Raymond used one of my Gmail names to register with State Farm. One of their agents even emails me directly when he gets really behind on his payments but won't do anything when I tell them it's the wrong email.
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
Malicious in-attention then, by the profit driven org? :)
If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.
A chronic problem is the idea that if something can't be automated with a human in the loop then it simply can't be done at scale. Technologists will do anything except employ humans to solve social problems.
I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
Any idea what the incentive is for them to put in an email address they can't access?
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
One way to do phishing attacks is to inject some payload in an automated mailing so malicious content comes from a valid email address. I wonder if they're testing whatever mail entry they can find with addresses they have access to in attempt to find something usable?
Smartly, I got firstnamemiddleinitiallastname@gmail.com. I never get anybody else' details.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
People often have trouble with this saying, and that trouble often boils down to the difference between intent and purpose.
The people who create a system have some intent for it. The system may or may not effectively achieve that intent, may or may not outlive the initial conditions that surrounded its creation, and may or may not have side effects.
Purpose is something humans assign. It is sometimes linked to intent. A carpenter's hammer is intended to drive and pull nails, and that is often also its purpose. The purpose of the hammer I keep in my basement is breaking open walnuts.
The phrase is stating that the purpose we should assign to systems when judging them is their outcome, and not the intent behind them.
The registrar relying on Google Safe Browsing as a “trigger” for suspension is the most horrifying thing I’ve seen in a while. This basically makes the entire TLD unviable for serious use.
It's the registry, not the registrar. I made a website that tries to help explain some of the lesser known nuances and risks relating to domains. The section about domain reclassification is based on first hand experience and is especially interesting IMO:
> This basically makes the entire TLD unviable for serious use.
It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..
The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).
.online is one of the many TLDs that charge a dollar for registration but bump the price to $30-$35 for renewal. So far, this seems like a good signal to tell apart serious TLDs and ones just preying on customers who sort by cheapest (or capitalizing on one-off phishing domains).
More generally, I think it's advisable to prefer the ccTLDs of places that are politically stable. And (IMO) to view com/net/org as defacto US ccTLDs (technically they aren't but for all practical purposes they might as well be).
This is the real story. This is 100% a problem with Radix. Safe browsing targets the website not the domain. No reason a registrar should be suspending an entire account over something a company reports. Black-holing the A and CNAMEs on a subdomain? Maybe..... But even then I don't think it's the registrars place to do that. Freezing the entire account? Absolutely not.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
That should be enough to trigger an antitrust case against Google and a split of its activities. When despite unrelated, it becomes the gatekeeper of your presence in internet.
These alternative domains are quite popular with the fediverse and other hobbyist-run groups. Affordable domains with somewhat recognisable names still available.
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
Despite blocking 66 TLDs and all IDN ccTLDs on my home dns I didn’t have these blocked. Guess I’ll consider it. Once you have the hagezi rpz files including threat information feed though you really have blocked most silliness.
> The domain ... has been suspended due to its blacklisting on Google Safe Browsing
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is 100% on Radix, not on Google. Google and Microsoft can (and probably should) have a registry of known-abusive websites. False positives are inevitable, so these should be taken with a grain of salt, but in most cases they're correct. Their lists are a lot more reliable than those from the "traditional" antivirus/anti-scam vendors that will list anything remotely strange to pump up their numbers.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
Exactly what we predicted would happen (someone would eventually put "too much faith" on this list) has literally happened, and your defense is still "well it's not Google's fault, it's a 3rd party's!". Obviously the point is not that Google was going to do it, but that others would , analogue to the process known as "self-censorship".
Self censorship requires a threat or risk of detriment if the party doesn't self censor, right? Where is that here?
What Radix does has no impact on Google, and I don't see how Google would be incentivized to pressure Radix. So I don't see how to make the leap blaming Google for Radix's incompetence. Yes, Google should recognize the risk of this happening, but they'd have to balance that against the rewards (or at least what they consider rewards)
Google is making false statements about the safety of a domain and it has significant collateral damage. Google is the cause. They should be liable for losses.
I had my main family domain put on Google's safe browsing block list and it has a massive impact. No one can visit the site. I think apps using system browser runtimes (ie: mobile) may stop working. I've seen reports that it can impact email deliver-ability. And, now, we see that it can get your domain put on serverHold so the problem becomes impossible to rectify.
Google should have to pay for the damage. In my case, it was about 4h of work to figure out what was going on and how to fix it, so not much, but I've seen small businesses that rely on their primary domain to drive most of their sales via web and email. In those cases, having your domain placed on server hold because of Google's false statements can have a serious, detrimental financial effect.
That's fair, if your domain is erroneously put on the block list, Google should be liable for the consequences.
But my point is that any knock on effects like domain suspension, email deliver-ability, etc. stem from 3rd parties misusing the safe browsing list outside the scope of safe browsing.
I don't see how Google can be blamed for other companies erroneously treating the safe browsing list as a source of truth for generally malicious domains
> But my point is that any knock on effects like domain suspension, email deliver-ability, etc. stem from 3rd parties misusing the safe browsing list outside the scope of safe browsing.
That's fair and I agree. My opinion is that both should be liable in a case like this. If I had to attribute it, my starting point would be that Google is liable for the loss of website traffic and the registry is liable for the loss of email and all other lost services due to the domain suspension.
It spirals though because, like you pointed out, no one forced (ex:) Mozilla or Apple to adopt the blacklist. They did that voluntarily, so they should be responsible for their share. That's why nothing ever gets fixed. It's broken, but there's so much potential for finger pointing that no one gets pinned down and held responsible.
The answer is always the same IMO. Break up big tech companies into a million little pieces.
A lot of laws use the phrase "known, or should have known"
Google should not have known that someone would misuse their block list to block domains. But now that someone is misusing their block list to block domains, if someone brings it to their attention, the next time this happens, they will have known it.
I am not a lawyer, I am not your lawyer, and this is not legal advice.
I read your comment as agreeing with the article: "Never buy a .online domain".
And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.
Wym mean external people aren't these lists integrated to the browsers? I'm sure if you try to open a website from this list your browser won't let you and I'll put a big warning sign
Google doesn't sell their list to you. They give it to you for free. Using their list costs them money. Pumping up numbers gains them nothing but the headache of PR issues when they get a false positive.
Spyware filters used to boast about how many domains they filter out because they wanted you to buy their filters instead of someone else's. By the time they hit a false positive, they've already sold a year's subscription to that customer.
Step 1: Get everyone to use your free internet filter
Step 2: Alter filters to mark newly-registered domains and low-traffic websites as "potentially harmful".
Step 3: Charge a lot of money for "business verification" - which gives them a fancy badge somewhere and incidentally makes their website trustworthy in the eyes of your filter.
Step 4: Profit!
The Big Tech cartel has been doing this pretty successfully with email (see the weekly "Don't self-host your email" posts), why should we assume they are doing anything different with browser-based website blocking?
Indeed. I was going to register an account somewhere the other day, and the signup form had a list of acceptable email domains. Gmail, Protonmail, Outlook, Yahoo, Icloud... a few others. It's not the first time that's happened to me. Sad.
EDIT: Didn't even include Fastmail, who's pretty big after all. They host MX for my domain, so I could have "circumvented" it that way with their disposable address feature, but nope.
I've found that, whenever considering Google's actions and incentives, you need to remember two things:
- They make almost all their money on advertising
- They have deep ties to the US intelligence agencies (To the point that a Google employee managed the appointment calendar for our Secretary of State a few years ago!)
So, how would these incentives apply to their Internet blacklist?
- If you are parking lots of Google ad spam, they are taking a cut of your revenue, so they have an incentive to take you off the list (evidence and testimony from the antitrust trial documented ongoing fraud in every layer of Google's vertical ad monopoly)
- If you are hosting something the intelligence agencies dislike / are neutral to / like, that'll impact your presence on the list.
Google wants you to use it. If it blacklists excess domains that hold legitimate sites, their product gets worse. If they blacklist illegitimate sites, their product gets better.
Cute. That is the commenter’s whole point about monopolies. Google is on record making their product worse to squeeze revenue. We’ve been living in the enshitification economy.
Sure, until their "smart filters" start considering GCP-hosted websites as pre-verified and small self-hosted websites as malicious. You know, like they have been doing with email?
Chrome is big enough that a website owner can't afford a false positive on their malware list, just like they can't afford to have all their email end up in spam for all Gmail users.
Due to their near-monopoly Google also has no incentive to avoid adding false positives to their blocklist - provided they don't accidentally block high-profile targets. And if a CxO is screaming over your shoulder that your website has been blocked, arguments about "false positives" aren't very compelling: they'll just demand you move off the "shitty basement provider" and switch to "proper hosting, like the Google Cloud"...
> We’ve been living in the enshitification economy.
that whiny bullshit about somebody elses website? you dont have to rely on a website or app. either you need their monopoly because you cant do it yourself, or you have options.... in both cases the whining is not needed
Nobody sees Google's numbers except Google... in other words, the numbers are not a sales tool for Google like they are for anti-virus/blocking companies. So, there's no reason for Google to pump up their numbers, it would just be extra work to make their product worse which wouldn't make sense.
Nothing, but they haven't done it so far, and they don't really have any incentive to do so.
It doesn't really matter that it's Google. It could have been Microsoft, or PAN, or McAfee or some fly-by-night vendor. The problem was Radix taking the list as iron-clad truth and disabling the domain without any notification or way to resolve the issue.
Google’s allowed to have an opinion. But that doesn’t mean that the registrar should be suspending the domain immediately in response. These two mechanisms should be decoupled.
How is any kind of antivirus or threat detection software supposed to operate on this standard?
Libel suits can be financially catastrophic, so even a tiny false positive rate could present risk that disincentivizes producing such software at all.
And a threat detection mechanism that has a 0.0% false positive rate is conservative to the point of being nearly useless.
I think that is the idea. They shouldn't exist without a prompt mitigation path.
In other words, if you can't deal with the false positives in a timely manner. You SHOULD be liable for the damages.
I can't build a budget car put together in an unsafe manner. Then complain I can't compete due to all the peoples cars crashing and blowing up and suing me.
You document your claims with concrete evidence of fraud. That will be your libel defense. No evidence means you bear the full responsibility of a fuckup.
At internet scale, this would roughly be equivalent to not doing any warning or detection at all.
Scalable systems need to use heuristics to catch threats. Needing concrete evidence in every case means that an enormously higher amount of malicious resources will not be flagged.
There is a policy argument as to the right balance of concerns here. But there is a clear trade-off to make.
Then that heuristic is your evidence in court. If it's a good heuristic, you win the case. If it's a bad heuristic, you lose the case.
"Your Honor, we banned this person's website because his web page contained the word 'bitcoin' more than 5 times" will not hold up.
"Your Honor, we banned this person's website because it contains a bitcoin miner script. See, here is the script, and it matches the hash value found in these other attacks" hopefully holds up.
You're welcome to cite case law if you want to insist. Otherwise, unsafe (in the context of infosec) has a definition of likely or able to cause harm or malfunction. Something that is provable or falsifiable with evidence.
I'm curious as to how you would prove that it would be impossible for any resource accessible under a given DNS domain to ever cause harm to anyone else.
Isn't "oops we made a mistake" actually a valid defense to libel in most US states? I thought you had to prove it was intentional to some extent? Or reckless/negligent IANAL
Google takes no action to review the reports that their warnings are false until you sign up for Google products (namely - registering the site in their search console).
I reported a falsely flagged site repeatedly for weeks with absolutely no action from them.
Mozilla and Microsoft both did actually remove the warnings after the reports (Edge and Firefox stopped displaying the warning). Google did not. Google strong armed me into registering for google products, like a fucking bastard of a company.
This was the moment I went from "I don't love google anymore" to "Google can get fucked".
I wish them bankruptcy and every damn legal consequence that is possible to enforce.
"I believed it to be true" is a defense. But negligence isn't. In fact, that is usually what you want to prove, that they acted on things that a reasonable person (or a person that is supposed to be skilled in that field) can see is not true.
Whether that's true or not is irrelevant if it's defined by law differently. Even without case law and precedent you'd still have to test it in court, which for libel can be prohibitively expensive.
For clarity I'm not agreeing or disagreeing, but what means sense to the layperson (including experts in a particular field) is sometimes at odds with what the law says.
Google is stating in a position of authority. It's therefore being stated as at least a professional opinion with the equivalent weight of fact, or representing facts.
If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
Not to mention that the whole point of the list is for blocking in e.g. web browsers. Claiming it is just an opinion would be like a mobster claiming they didn't actually order a hit.
> If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
I agree with this! The registrar should not have triggered a suspension because of this. They're not obligated to, and the two processes should be decoupled.
The registrar should ignore reports of abuse, especially if coming from an authoritative source with vast resources that's been collecting reports on its own?
No.
The source should be more careful. It's the equivalent of a renowned newspaper printing warning a restaurant being unsafe to visit. Should the customers' willingness to visit be magically decoupled from this opinion?
It's like a renowned newspaper saying the restaurant is unsafe, and then also the restaurant's landlord taking it at face value and locking the doors without further investigation. Both can be wrong.
> The registrar should ignore reports of abuse, especially if coming from an authoritative source with vast resources that's been collecting reports on its own?
I'm not saying they should "ignore" reports of abuse but treat them as they are -- reports. They can then perform their own independent investigation.
That may well have happened here. I suspect the author isn't telling us something.
Depends on jurisdiction. In the UK it's not an absolute defence, you still have to prove it's an opinion a "reasonable person" could come to based on facts.
“unsafe” is a term that is both broader and more vague, so I would consider it opinion unless backed up by appropriate facts (like “contains CSAM”, “contains malware”, and so forth).
As someone who has also been bit by this, and with the only possible resolution being that I sign up for google services and register my site with them in the google search dashboard...
Fuck Google.
This is absolutely libel. They put a big fucking red banner on top of my site, telling the world that it's unsafe, using all the authority they have as one of the largest tech companies in the world.
In my case - it was a jellyfin instance I'd stood up to host family videos of my kids for my parents.
It was not compromised, and showed only a login page. I reported it as a false flag repeatedly, for weeks, with Google doing jack fucking shit.
Only after signing up in their search console and registering the site did the warning disappear.
They are abusively forcing people into their products. Fuck Google.
In case it wasn't entirely clear - Google can get fucked. Fuck Google.
There’s nothing wrong with your dislike of Google. No matter how much you dislike them, though, the word “libel” has a meaning that should be respected. To opine that a site is unsafe is simply not libelous.
It's libelous in Germany unless you can prove it's true. In fact people regularly get punished in Germany for things like calling politicians idiots, because they can't prove they are idiots. https://www.ft.com/content/27626fa8-3379-4b69-891d-379401675...
That sounds like a spurious distinction. Pretty sure you can’t say “Person X is a murderer” and then say “well I’m only expressing my opinion, and in my opinion if you do something that annoys me that qualifies as murder.”
Nope, not in the US. It is perfectly legal to say, for example, "Kyle Rittenhouse is a murderer" despite him being acquitted. You're entirely free to disagree with the result, that is an opinion. Any opinion based on public knowledge is ok. It doesn't even have to be reasonable or rational.
What you can't do is imply non-public knowledge, aka "I heard from my cousin who works in law enforcement that Kyle murdered a hobo when he was 12 but the records were sealed", or state specific facts that can be proven true or false: "Kyle murdered a hobo on September 11, 2018 out back of the 7-11 in Gainesville, FL"
The standard for libel/slander is much, much higher than people think. It's extremely difficult to meet them, and for public figures, it's almost impossible.
Sure it is, that's how the 1A works. Saying he was convicted of murder is not true, but calling him a murderer is an opinion. Your opinion doesn't even have to be reasonable. It just has to be based on facts that both you and I have.
1A rights are construed really broadly. The courts don't do the 'he wasn't legally convicted therefore it's illegal to call him one' thing.
If that were true, news organizations wouldn't be as careful as they are to preface the word "alleged" before the behavior -- before or after a trial. I don't think you'll find any reputable commercial newsgathering organization that makes a plain statement that Kyle Rittenhouse is a murderer.
The First Amendment doesn't protect the speaker against all forms of defamation (though it does put some barriers up that make it harder to win in some circumstances). If it did, defamation as a cause of action wouldn't exist at all.
As a practical matter, though, this is largely theoretical. Once you've been through the rigamarole of arrest, prosecution, and trial, even if you're found not guilty of the crimes committed, the reputational damage is just too widespread. You're not going to go after the defamers: there are just too many, and if you tried, there would be a fair question as to whether you have any positive reputation left to injure. Your life is pretty much ruined. It's a pretty terrible situation for the wrongly accused.
In my opinion, a .online domain is unsafe. 99% of people only visit ".com"s unless they clicked a scam link. Completely blocking the site is overkill, but the browser should warn you about it like it does with non-SSL sites.
They should be held legally culpable for libellous claims they make.
I dont care if their pre-LLM ai says "thingy bad". They are responsible for the scripts or black boxes they control. I dont care if they dont give a reason.
Claiming bad/malicious/etc site is 100% libel. And doubly so, anybody who has been forced to agree to a ToS with binding arbitration should have it removed for libel.
The words in your link do not support the words in your comment. Don't be snarky unless you are certain you're correct.
> a plaintiff must show four things: 1) a false statement purporting to be fact; 2) publication or communication of that statement to a third person; 3) fault amounting to at least negligence; and 4) damages, or some harm caused to the reputation of the person or entity who is the subject of the statement.
They falsely marked the site unsafe[1] on a published list[2], the results weren't checked and couldn't be appealed[3] and OPs site was taken down[4].
"When Google marks a site as "unsafe" or "dangerous" in Chrome or search results, it is a factual finding based on automated detection of specific, technical security threats, rather than a subjective opinion. These warnings are triggered by Google’s Safe Browsing technology, which scans billions of URLs daily to protect users from malicious content"
Opinions and facts in a legal context usually comes down to who is saying what. Someone personally says "this soup is bad" on a review site = opinion. A news site plastering it on their front page = fact.
A person saying something as an individual is usually considered an opinion. A company doesn't have that same protection.
> "When Google marks a site as "unsafe" or "dangerous" in Chrome or search results, it is a factual finding based on automated detection of specific, technical security threats, rather than a subjective opinion. These warnings are triggered by Google’s Safe Browsing technology, which scans billions of URLs daily to protect users from malicious content"
Nope. Not correct. Companies have the same 1A rights, too.
In the US, it really doesn't matter who says it, the only thing that matters is who it's being said about.
If you are a "public figure" -- which is a much broader category in 1A law than you think -- then in order to prove defamation, you have to prove the thing was false _and_ that the person saying it knew it was false at the time. Not that they were mistaken, not that they were careless, not that they knew later, they deliberately lied and knew they lied as they said it.
If your next question is "how do you prove what someone was thinking", then yes. That is the reason it's nearly impossible.
Not talking about 1A rights or public figures. We are talking about
Opinions (Protected) vs Facts (Not Protected)
Defamation cases where individuals say something are usually considered opinions and companies are usually considered facts in the eyes of the courts. I say "Usually"
Defamation also DOES NOT require intent, but it requires a minimum level of fault (negligence)
Google saying something is unsafe in the web search or browser would not be considered an opinion because of their position of authority. It would not even be a debate since Google has already said they make decisions based on facts and data presented to them.
The only question is are they negligent in their assessment or response to a false report. And what would be the damages. In the case of a phishing report that is false courts would already consider it defamation per se (damages presumed)
We are absolutely talking about the 1A lol. Defamation is 1A law. It is one of the few recognized exceptions to the 1A.
And we are also 100% talking about public figures. "Public figures" include companies and it's a critical part of 1A since Times v Sullivan.
Google is a US company and has 1A rights. That's how it works. The rest of what you said is nonsense and is your idea of how it should work, but has nothing to do with how it actually works.
To be more accurate, defamation is civil tort law, circumscribed by the First Amendment. (Defamation as a cause of action is quite old, reaching back to our English common law roots, and goes back further in history, I believe.)
If a newspaper publishes a false story about a business and someone takes it upon themselves to attack the business, it's partially the newspaper's fault.
If a newspaper publishes a story about a business and someone takes it upon themselves to attack the business, the attacker is at fault, regardless of the veracity of the newspapers claims.
I am in Canada, but I think it is the same in the US? A newspaper can be responsible here. For example, if they say "people should riot" and a riot happens, the newspaper could be responsible for all actions that resulted the same as if they were the ones doing the crime.
Same with if they become aware of defamation and fail to retract and make a statement. But newspapers will generally also thoroughly investigate themselves to make sure what they are publishing is true.
It is not the same in the U.S. (And, to be honest, I'm quite doubtful this is true in Canada, though I could be persuaded through legal citations that it is.)
I always wonder what the settlement and damages would be if google marked Amazon as a phishing site for even a few minutes.
The problem is that these gatekeepers of the internet respond to false statements of facts/opinions by so called professionals.
I had cloudflare mark a worker as phishing because a AI "security company" thought my 301 redirect to their clients website was somehow malicious. (url redirects are normal affiliate things)
If the professionals don't understand the difference and cloudflare and google blindly block things, this is scary.
There is a potentially different cause of action, tortious interference with business relationships. It does require that the defendant intended to interfere in a way that would cause harm to the plaintiff, though. Proving Google intended such harm would be difficult and expensive.
Google intends harm to everyone on that list. That's the point of the list. Google is unlikely to have intended this specific harm, but they don't have to.
Marking a website as "unsafe" in Chrome is equal to standing in front of the door of a small restaurant and blocking 71% of people going inside. Everyone first has to agree that they will enter the restaurant at their own risk.
That is more than an opinion. Chrome has a monopoly and should act accordingly. Blocking entry to a website should be a last resort, not just because someone didn't add their website to the whitelist.
Yeah. Everyone uses their list and being blocked by all web browsers is like having someone cover the doorway with a massive DANGER sign. It's insane that people are roaming around here arguing that it's ok because the damage caused is a necessity for "internet scale".
Right now, any damages are completely speculative at this point. I would suspect in this case, the damages are minimal, and taken in the broader context, the good outweighs the harm. Do you have evidence to the contrary?
(IANAL) It's not about how it's stated, but whether it can be objectively proven to be true or false. "unsafe" refers to the likelihood of something bad happening in the future. You can't prove that something bad will happen in the future, so it's opinion.
Also not a lawyer, but that makes intuitive sense. If I say "that food tastes bad", it's phrased as a fact, but a "reasonable person" (which is in fact a legal test used for some things, although I admit I'm not sure about libel) knows that there's an implicit "...to me" qualifier because the concept of taste itself is inherently subjective. My instinct is that while there are some things everyone would agree on as unsafe, it pretty quickly turns into a judgment call, and it probably makes sense to allow even ill-informed opinions that are made in good faith rather than malice or negligence. The question then becomes whether there's sufficient evidence to conclude something like that, and while the bar is lower for a libel claim than something criminal, it's still not obvious this would be provable here.
"Unsafe" is just a terribly vague word, too. As a layman, I wouldn't even know what that means with respect to a web site. What's "unsafe" about it? Is it going to shoot my dog? Is it going to drain my bank account? Is it going to give my computer a virus? Saying a web site is "unsafe" really isn't providing any interesting information, and it shouldn't be acted upon by pretty much anyone.
This seems like a distinction without difference, given everyone in the ecosystem takes that "opinion" as true fact, including the market-leading browser produced by the "opinion"-haver.
I get that's mostly what corporate lawyers argue about, but it's functionally dishonest in this case.
That is the bit that jumped at me immediately too. Why would a registrar take it upon itself to suspend a domain that another entity entirely blacklisted as part of their own completely opaque process? Who is Google? God?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
It's like being unable to get a passport because Microsoft has you on The List, and Microsoft needs to see your passport to check why you're on the list.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
I am suspecting something like this too but what is the mechanism by which Google would have influence on the registrar? As far as they are concerned the domain is gone from their index.
It doesn't sound reasonable to me at all. Why would we think that the reasons google blacklists a domain would align perfectly with reasons a domain name would be suspended? In the end they don't seem to agree already since the domain was unsuspended. Who knows why it was blacklisted by google? Even the decision to unsuspend it looks arbitrary.
I wonder if Radix has unknowingly created a negative feedback loop here. From Google's perspective, the DNS records disappear shortly after being flagged by Safe Browsing, which their heuristics may interpret as scammy behavior.
It's not about the .online TLD being "weird". The problem is that it was free. That's going to attract a swarm of fraudsters, spammers, etc, and then turn into a strong "this is probably fraud" signal in all kinds of fraud scoring systems.
There are lots of domains out there other than .com that are just fine.
.online, .top, .xyz. info and .shop are some of the top TLDs that scammers use, precisely because of their rock bottom registrar fees that make them attractive for sites that have a shelf life of a few hours or a few days before being blocked. As a result, many places have a blanket "suspicious" flag for fresh domains under these TLDs.
If you plan on building a legit site, do not use any of these cheap TLDs.
Paying through the nose for a .com that is remotely memorable and easy to spell is not a great path forward for a hobbyist or someone who simply wants their own domain for email.
I know someone with a .org domain, and even they have a ton of issues with false flags on their emails due to not coming from a big email provider. They’ve been blacklisted a couple times and regularly get flagged as spam. I’m surprised he hasn’t given up after dealing with this stuff for 25 years.
These new TLDs, I thought, were supposed to open up more options for regular people to get a domain that is semi-decent. Instead they’re essentially useless. Some of the prices are also still insane, due to assumed “premium” status or domain squatters.
There has to be a better way to police this stuff.
Probably this is what's happened here. Either the OP's domain was previously used for shady activities, or the almost-free stigma puts the whole .TLD in the grey list of high-risk assets. Probably is also explains the nuclear behavior of the registrar (suspension).
Side note: My empirical experience is that vanity domains are disliked by some enterprise security systems. I have a friend who owns a .homes domain which ended up being blocked by quad9 as well as the enterprise security system of a friend's work for ~half a year. The block cleared by itself.
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
Even (uncommon) country TLD's too. I own a .vg domain which is a perfect match with the initials of my last name. My mails end up in spam quite often too, despite having set up SPF, DKIM, DMARC and all that stuff correctly. It's just not common so some security systems block it.
This does unfortunately actually work pretty well as a security measure. The new domains that are cheap and good for fun side projects, are also cheap for scammers.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
Because the entire security mechanism of the www today is "look at the domain name to make sure it matches." And the TLD is at the end where people might miss it.
I still remember how Google banned my entire account without providing a reason for a small Android app (more than 12 years ago). To this day I have no idea why, it was absolutely green-area fit tracker or something. There was absolutely no way to know the reason or unblock my account. Turned me away from Android development forever.
A relative’s business has had Google reviews frozen for years. Search results show the bad rating after some former customer and spouse left bad reviews several years ago. Appeal went into a black hole. Running a small business is at the pleasure of Silicon Valley.
It doesn't work, there was a Google employee here mentioning they assign a degree of separation to each account, any accounts that are deemed "close", are included when the ban hammer falls.
If it's already in the Console when it gets blacklisted, you can appeal it without having to 'verify' ownership of the domain that, in this case, you no longer control the DNS of, because you completed that process when adding it to Console.
> I don't understand. What is Google Search Console, and should I add all my domains there right now?
Google's way of tying real identifies of people to domains, without making it explicit.
Basically, your domain will be weirdly treated by a bunch of entities, none the less Google themselves, if you don't add your domain there (or some other Google property).
Especially with less common TLDs, like .online, they really want to be able to tie it to some identity, so unless you add it there, eventually your domain ends up on some sort of blacklist, in the case of the author it seems they used the "Google Safe Browsing" blacklist to get the author to involve Google somehow.
I also get “there were crawl errors”, which upon investigation are for pages that never existed (and I’ve owned the domain for 20 years, so its not a previous owner/operator thing)
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
I'm not particularly familiar with SEO or the massive black box that is Google Search - is this really as critical as the author makes it seem? I have both .lol and .party domains, both through porkbun (and the TLDs seem to be administrated by Uniregistry and Famous Four Media, respectively), and both are able to be found on Google Search. It seems like this preemtive blacklisting would be the result of some heuristics on Google's end; is .online just one of the "cursed" TLDs like .tk?
> is this really as critical as the author makes it seem?
It is critical in the sense that if you want to appeal the decision in a case like this, it will go much better if you pre-verified that you own the domain.
(I don't think it has much effect on google search placement at all)
Yeah I'm guessing the TLD was the main signal, based on other comments linking to a thread about "Pinggy", who was also using a .online. The fact that Namecheap is giving them out for free means they probably are more scammy on average.
I've also never added domains to Google Search Console and haven't had blacklisting issue other than with a free .ml (another "cursed" TLD) site that was by default assumed to be spam by Facebook Messenger.
It's unfortunate that this category exists, but I don't share the OP's .com purism; I've used a mix of TLDs and even the cheap ones like .fyi and .cc haven't come under extra scrutiny as far as I can tell.
Domains are signaling. If you have a .online domain you are signaling you can't afford the equivalent .com domain. All the TLD annoyance is a consequence of the lack of status pressure ameliorating the experience of those domain holders (in the same way you never see public health crises in rich neighborhoods)
If you have a .online domain you are signaling you can't afford the equivalent .com domain.
Or don't want to pay a $2k ransom to a name squatter... For some businesses that is a rounding error (saas, other high volume high margin stuff), but for small businesses like restaurants or event planners, spending that much on a domain name would be foolish.
It sucks so much that there is no standard way of linking additional domains to your main one and inheriting the reputation.
Want to set up a new domain for whatever purposes (conference, new product, etc)? Be prepared to spend the first half a year fighting the various blacklists before people can actually reliably connect.
Would make so much sense if you could just have a .well-known/other-domains.txt (or something something DNS) with a list of domain names that should be considered just as trustworthy as your main domain.
It's not even about .online or other weird TLDs, it's just that the domain is new and therefore "not trustworthy". Even worse if you need to use your existing branding on the new domain - instantly flagged as a phishing site everywhere.
We need to rethink the web so that fewer third parties are involved in things that seem on the surface to be an A-B conversation. To say nothing of the trustworthiness of those parties, having them involved at all is needlessly brittle.
Morale of the story: never ever use a registry that bases its decisions on Google Safe Browsing. Radix in this case. A very modern looking website for a really caveman support.
Does anybody know any good alternative to Name Cheap? It seems like they keep raising prices on all the domains. Website is very sluggish, especially for finding domains quickly.
Wow, thanks. You were right. I Googled and it says Cloudflare is cheaper by twenty-five to fifty percent on renewals. I'm really sick of namecheap. They seem to never stop raising prices. but I'm also I'm kinda wary and afraid of moving domains and losing it.
Cloudflare is doing the enshittification strategy, enticing you now, and then extracting value later. You don't want your domains to be in Cloudflare when they lock the gates. If it's a temporary domain, go ahead I suppose.
But was this because it's .online? I got one and it was fine.
The only issue was the usual trap with all Namecheap domains: They tell you it's all set, and it works, until they randomly email you a week later asking for email verification. If you don't do that promptly, they suspend your domain until you trigger a resend. Which is easy to fix but also strange.
The blog post details that the TLD registry, Radix, decided that getting put on Google's safe browsing list means they put a serverhold on your domain, which prevents you from getting off the safe browsing list.
So yes, this appears to be a TLD- (or at least registry-) specific issue.
The problem isn't Google Safe Search backlisting the side (I mean that also is a problem, but a very different one).
The problem is the vanity domain registrar Radix using that as a reason to _put the whole domain on hold, including all subdomains, email entries etc._
This means:
- no way to fix accidental wrong "safe search" blacklisting
- if it was your main domain no mails with all the things it entails
- no way to redirect API servers, apps etc. to a different domain. In general it's not just the website which it's down it's all app, APIs, or anything you had on that domain
Google Safe search is meant to help keep chrome users safe from phishing etc. it is fundamentally not designed to be a Authority Institute which can unilaterally dictate which domains are no longer usable at all.
Like basically what Radix did was a full domain take down of the kind you normally need a judge order for... cause by a safe browsing helper service misfiring. That is is RALLY bad, and they refuse to fix their mistake, too.
You normally don't have _that_ level of fundamentally broken internal processes absurdity with the more reputable TLD operators (which doesn't mean you don't have that in edge cases, but this isn't an edge case this is there standard policy).
At the same time given the already terrible reputation of such vanity TLDs, being this hard on abuse might be the only survivable way.
That's not me saying there shouldn't be a warning and a recourse, but the time-to-profit for domain abuse is really short so anti-abuse actions have to be quick.
I'm fairly sure that Safe Browsing's false-positive rate is extremely low otherwise it'd be unusable in Chrome. Which also means that acting on positive results is very likely a correct approach.
Safe browsing is meant for websites, not domain names. You really want your registry acting on it and nuking your email services, intranet services, cert renewal automation, et cetera?
My understanding from the article is that because the registrar for this domain is using Google safe browsing for their domain suspension, something that a) shouldn't be the case and b) isn't the case for other, perhaps more mainstream TLDs
The registrar suspense domain because it on Google blocked list. And Google refuse to review the ban because he can't prove he own that domain (because it suspended :D).
The first mistake anyone makes is thinking they are “buying” anything with a domain. You’re renting it. And the company you are renting from can arbitrarily push up the price above inflation. NameCheap is good for the basics. But a .site or .online domain is a no-go beyond an MVP/test.
I'm sorry that the author got bitten by this. But .com purism is funny to me. I only buy GTLDs for personal projects, and I've never had a problem before. But then, I've never bought .online.
.com, .org have legacy contracts eliminating the shenanigans they can pull. .org did try get out of restrictions on hiking the price on renewals, but weren’t successful. So all my domains are either .com, .org or the TLD for the country where I live (of course, how trustworthy your local ccTLD is varies)
> Freenom’s terms of service allowed them to “cancel” a free domain at any time without warning. Users reported for years that as soon as their free site started getting significant traffic (and becoming valuable), Freenom would reclaim the domain and fill it with ads, effectively hijacking the user’s hard work.
At least for the last few years of Freenom, you could only get a domain for up to a year. Once that lapsed, they parked it and you had to pay to extend it further.
Are you 100 percent certain that the domain name wasn't registered before and then got on the blacklist because of prior misuse?
It's quite possible that the domain you chose was registered previously and dropped because the previous owner misused it and burned that domain. The .ONLINE extension has been around for several years now.
I can't be 100% sure but googling showed nothing. My site was up for almost 6 weeks with no issues. I used the domain for Apple's review process too. No issues at all.
If the domain is being given away for free, it will be used a lot for scams etc, so a lot of systems will just start blocking it immediately. When I got my first domain, I used one of the free TLDs and my university blocked it completely due to it being a scam. Not for any of the content on it, just the TLD being commonly used by scammers
That’s my question. I’ve launched many fresh websites that have not been marked as unsafe by Google. If they were habitually doing this, there would be far more reports of it.
I suspect there is something the author is not telling us.
Even if the false-positive rate is very small (e.g. 0.01%), you probably won't be affected, but more than a hundred thousand of websites would be and that would still be an issue. I have no idea how big is the false-positive rate.
There are many of reports of the same happening to other sites, some of the top ones (you can find many more by searching HN for "google safe browsing"):
The domain has no history as far as I could search and the site was up for almost 6 weeks with no issues before it was nuked. I used it with Apple's review process!
The big scary red warning page should at least tell you it’s phishing or malware or something else. OP didn’t have a screenshot of that. You can easily go to a safe browsing test site yourself at testsafebrowsing.appspot.com and find that Google does divulge the category of the blacklisting.
OP says:
> no gore or violence or anything of that sort
That’s not even the right criteria. OP is confused about Google Safe Browsing vs Safe Search.
That sounds like a competitor of yours manually submitting your site to Google for “impersonating” them or something. Anyone can submit URLs to Google to suggest it be blocked: https://safebrowsing.google.com/safebrowsing/report_phish/ Perhaps some overworked underpaid analyst had a lapse of judgement. I’m sorry that this happens to you.
wait, this actually makes things sound even worse because anyone who might not like your product can add it to google and google can sometimes be none the wiser and then add it to phishing link which could then lead to their domains (ie. any TLD's hosted by radix.website) being lost in void essentially unless you have verified the domain in google analytics and even then I would consider this whole situation to be so messy.
At this point, NEVER buy any radix.website TLD domains.
I am seeing pinggy had the same issue with their .online domain and this actually definitely caused hurt to their business https://news.ycombinator.com/item?id=40195410 (I saw this post from their comment in here referencing it)
Took me a minute to realize Sid isn't associated with 0xide.computer. Clever domain name!
Getting Google to index my personal site has been a pain. Every other search engine works fine, but ever since I switched the images on my site to .webp (a format created by Google!), my site's content just doesn't get indexed anymore. I've given up since web search traffic matters less and less these days with LLMs, and it only really bothers me when I'm trying to search for my own articles.
Ha, thank you. I spent more time than I'm willing to admit to come up with it.
I use my older, much longer domain for email and identity (it used to be #3 on SERP for "Sid"). This one is just for giggles so I can blog in peace without affecting the main one.
tried to roll my own email server on a .xyz domain...basically a big no go, couple of emails went through, then nothing, just a black hole. Thanks corpos and the safety theatre.
I believe that .de domains are pretty cool (written another comment about it) but .de are $3.25 for registration and .de is the second most common after .com so from webatla, I see approx 16 million domains.
I don't think that they could ban emails from .de for what its worth.
Personally I like .in domains too. Makes more sense to me because I am well Indian and we all use it quite frequently/sort of intutitively know fwiw but if I just want a domain for email purposes for cheap. Honestly, .de could be good.
https://tld-list.com/ [Try seeing the cheapest renewal rate with top level TLD and ignore .storage which costs 465$ for registration smh]
Some other domains like .top exist as well in this league imo but .de is one of the best if you can find a relevant domain in .de
In Defender for Exchange (or whatever they call the filter in exchange online these days), there is a checkbox that blocks .xyz and .biz as a bundle. Why those two? dunno, but microsoft especially hates them.
Google should really be seeing some anti-trust action for requiring you to create an account with them on their search console in order to contest being added to a blacklist used by all the major browsers.
That’s not fair. Google has no hesitation in banning its own customers either. Combine this with private equity vultures (namecheap) and shitty registrar, you are always one AI token away from being banned.
Yea regarding namecheap/spaceship (their sort of subsidiary company). I once created a tool which could find me a cool short .de domain out of curiosity and I tried using namecheap bulk's domain feature.
It said that https://aid.de was available. I was out of the moon happy (silly me) thinking that its such a good domain or something.
Then I saw aid.de available in namecheap for around 2$ ish but for some reason I took a bath and hten later it showed 10$ ish.
Okay, I then went to spaceship and it also showed me aid.de available. I then took my card and signed up
Well the transaction took place but got refunded. It said that there was an issue or something and got insta refunded
Silly me, thought that the payment had issues and decided to do payment again. This time though my refund had to wait 10 days to come back because of international laws.
Now I had only very little amount stuck btu I can see someone losing substantial money/having it stuck
I contacted their support and they told me that both namecheap/spaceship have a bug where some domains show available when they aren't.
I haven't checked but since the amount was like 1-2$ now but this whole thing really soured my relationship with namecheap/spaceship.
For context, before this, I also had a hate/love relationship with namecheap because once I bought a domain with them using crypto and also bought their vpn which was like 20 cents basically
It had auto renewal on and my domain costed 1$ but crypto payment requires 10$ minimum and the VPN charged me money from that.
Luckily I had spotted before the 2nd month and to be honest, like only 1 month 10 days or something and I urged the namecheap company to do what's right (in that moment because a lapse of judgement had been made from my side/error and I hoped that namecheap could realize it and do "right" instead given that the cost was only around 10$ fwiw)
After waiting for many days, they finally did what's right and gave me my credits back as a one off thing and I then turned off their domains.
I also used a crypto swap thing to convert b/w usdc and btc (what namecheap accepts) and I had an issue of doing two times payment after the timeperiod of btc payment (15 mins) but they also fixed that issue by adding the credits manually when I raised the issue.
Their customer support at times can be good but the platform itself is a little shady in my opinion. For the VPN thing if I remember correctly, the auto renew was written with grey and I genuinely didn't read it without my specs.
I am gonna keep my domain with namecheap that I have and if I get deals from namecheap/spaceship then use them, but for individual domains without deals, hell no.
I know that many people don't like the centralized nature of cloudflare but cloudflare is a good thing for domains :/
I personally just buy domains from wherever's there's a deal right now as some domains I have are some that I keep for only 1 year or similar.
To be honest, if I want to pick a domain-thing, I'd rather pick the one which is the cheapest or if not, then the one which only sells domains
I just looked at porkbun and they only sell domain related things and at best mail (they also have a deal with proton which can be interesting to many)
Porkbun is also cheap so I think I would recommend porkbun/cloudflare.
I haven't decided if I will transfer my domains from namecheap or not but their customer service is nice but the same can't be said for their service sometimes in my opinion.
This sounds like something ICANN should prevent. Is this not against ICANN rules? These fuckers ban emoji domains, maybe they should ban registries from arbitrarily stealing domains with no recourse. Maybe write to them and see if they can move something.
yeah same here. I canceled my account on name.com because I had previously obtained a .art domain maybe for ~15-20 USD / yr. Then they wanted $50 USD a year to extend it. No thanks, dropped the domain and moved to namecheap
At first I was stoked to have a two letter domain, but then I looked into it and learned these companies will get you hooked with a low initial price, then jack up the prices as the domain becomes established.
Quite the grift. My plan is to tread lightly on that domain and be ready to back away from it when the rent seekers move in.
You’d think there would be some sort of rules to the neutrality of these TLD administrators, but nope.
The second time around I wised up and go ogplus.net for an API domain instead of ogplus.media. I’ll take neutrality over vanity any day.
So this happened only because google is so big, that it can point to any website and say that it's not safe. Even if owner of a site just don't want to be in their search engine in the first place.
How on earth we ended up with this company bother anyone including those that want their services? Imagine that you could get your driving license banned because you did not buy a toyota...
.com is definitely the gold standard, I got an .io more than a decade ago and if I would go back in time, I would just use .com, the pricing for .io been increasing for no apparent reason.
People often make the mistake of treating .io like a gTLD, when it's actually a ccTLD for the "British Indian Ocean Territory" etc. ccTLDs have always had risks, especially when they are for a really tiny region.
Similar issues to .io happened with the popularity of .tv domains, which again is a ccTLD. The government of Tuvalu sought to increase income from sales of their ccTLD and prices went up. Tuvalu is such a small nation .tv domain sales ended up making a significant part of the State's income.
Another fun example of the mess you can get into with ccTLDs was when the UK left the EU. All UK registered .eu domain names were cancelled following the UK exit from the bloc.
gTLDs generally have some degree of insulation from State-level politics. ccTLDs permit the nation or territory they represent much more say in how they are priced and who they are sold to.
Interesting, thanks for the info, definitely didn’t know that back in ~2012, but lessons learned, only .com or .org I have been buying in the past years.
> Update: Within 40 minutes of posting this on HN, the site has been removed from Google's Safe Search blacklist. Thank you, unknown Google hero! I've emailed Radix to remove the darn serverHold.
I wouldn't party too soon - from my experience getting something removed from Google's libel machine doesn't mean the same process that put it there in the first place is fixed and it you will most likely go through the same thing again and again.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is just another way how Google has inserted themselves as the gatekeeper of the web.
The logic doesn't automatically extend to other TLDs unless they too are owned by the same firm. Alternative TLDs are often preferable because they're so much cheaper than wasting money on a .com, etc.
There are various gTLD that are cheaper. For example, .top is great and among the cheapest. It however is falsely maligned by those with small brains who stereotype things.
I like .top domains as well but .de might make more sense.
Considering .top domains have cheap registration and renewal. To me, it does feel as if .top are very speculative. I liked to search random things in tld-list to find unique-word.<any tld> so like random.top but my past experience says that .top domains are bought quite a lot/very speculative.
If possible I like .de but I think that .top are fine too. Both are great for what its worth.
> It however is falsely maligned by those with small brains who stereotype things.
I didn't know about this, can you please elaborate more about it?
> I didn't know about this, can you please elaborate more about it?
Those with small brains who stereotype things often claim that .top is used only for scams, and that if a site is using .top, it means they're a scam site. In making this foolish assertion, they confuse P(A|B) with P(B|A). To continue, see the ChatGPT share 699f272e-475c-8012-ae9a-a89bd136fd01
> it does feel as if .top are very speculative
Sure, they can be, but again it's no reason to stereotype. They can be or become whatever they want to be.
One time I bought a .dev domain, which is/was run by Google, and after missing the renewal deadline by less than 24 hours, the renewal price jumped from less than $30, to $800.
There are always the actual country TLDs, which (mostly) have specific regulations governing their use, and an actual government body to appeal to in case of unsolvable issues like this
So, how is this not libel by Google? The claim was that you were running an "unsafe site". Its their job to prove that, and not just "black box says so".
And you have system and reputational damages.
Go for small claims suit, $5000. It'll cost more than that for their attorney to go to your jurisdiction.
because google safe browsing is only supposed to display a "not safe to browse" warning when using chrome browsers (and maybe some other browsers) wich you can (theoretically) dismiss(1)
it's not meant to have any other consequences
so basically what happens is that because of hearsay of google thinking you site is not bad Radix does what normally should involve a judge order (taking down the whole domain)
(1): Yes that still would cause damages on any site with customers, but like way less and way more fixable then what happened here.
The .com purist advice is sound but you're not getting four-letter domain names that way, and in some ccTLD zones you can still.
I was price-gouged out of owning a single, rare .icu domain when renewal fee for it went from 20 usd to 220 usd overnight, just for this one domain... I'm pretty sure it's not Gandi, but the TLD opetator, because other .icu domains I've had were fine. I decided to eventually abandon them all anyway. Moved away from Gandi later when they started doing gouging of their own, too.
I think that it's a good thing when domains aren't their main source of income. It gives them more incentive to provide good, stable experience and pricing.
Hot Take: the proactive action of the registrar here is probably more beneficial than the number of false positives captured. If the registrar is aware that Google is hot on blocking potentially harmful sites, it's right that they take action expeditiously.
The bigger problem is the unbanning - for which there should be a better system, probably that should take the form of the registrar having a short grace period to aid in the Google stuff (DNS verification etc.) with additional checks by the registrar to make sure it's not being used for spam/malicious content.
The other point being why was Google banning you so quickly? This is the opaque part. Was the site reported? Was there some URL hijinks? That's the thing you'll probably never find out.
The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?
> Add a DNS TXT or a CNAME record.
I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.
DNS can be thought of as a distributed KV store with built in caching suitable for low write high read use cases, so TXT makes sense for that. e.g. basic feature flagging can be accomplished that way with basically no work to set it up assuming you were already using DNS.
The registry cannot ban individual record types. That is not how DNS works.
The registry only maintains a list of NameServers associated with the domain (and records for DNSSEC zone signing). Registries have nothing to do with regular records. They only record who defines those records.
There is _some amount_ of justification to ban TXT. There have been a few cases of C2 servers using DNS to send instructions to malware, so letting TXT slip through the cracks would still allow for that.
Now whether this downside justifies the massive problem it causes on false positives...
TXT can't be banned. There are several RFCs that require TXT records, such as DKIM configuration, DMARC configuration, and it is extensively used for verification by things like AWS SES, Microsoft Office, and all kinds of things. It's built into many standards and used by all kinds of other entities for all kinds of perfectly legitimate things.
they didn't "just" take down the site, they took down the whole domain
Even google safe search isn't blocking you site per-se, it just adds a very annoying "this site is not safe" dialog you can "somehow" bypass (but most people wont and don't know how).
Like if this where the main site of a company (which it very much could be) this would also have taken down mail, all APIs, all Apps relying on such APIs.
so no this is absurdly unreasonable actions
that they seem to neither know nor care that this makes it impossible to "fix" false positives with google isn't helpful put this in the area of high levels of negligence which can get you into a lot of trouble in the EU
Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
> along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email"
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
Oh man we had a person leave unexpectedly who controls our Apple organization for our dev accounts. I'm several months into me making requests, getting responses at least a week later for each email where the responder ... didn't really read my message. Then they ask for documents ... but they forgot to send me the secure link ... another week+ for them to do what they said they were going to do. Now one of my documents didn't include a sentence they needed ...
One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
Scammers can definitely get through it faster than you can. Whenever you attempt to address abuse in a system by increasing the complexity of that system, you implicitly bias it towards those with the time and inclination to study it, which always includes those with intent to abuse it, and generally does not include your users.
> Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Google made it very clear years ago that they shouldn't be trusted with anything irreplaceable/that would cause major problems if you lost access.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
> Fundamentally, this was google's fault
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
What would you do in Google's place?
I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".)
If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.
Not add 2fa automatically, but instead prompt with options to add it.
This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion.
I'm sure Google prompted author for years begging to turn the 2FA on, as well as warning that they will enforce it on day X. Author ignored them all.
That doesn't make forcing it any less wrong.
Why is 2FA so critical it’s worth proactively breaking the user? What’s the even more bad thing that would (not could) happen to the user if 2FA was not enabled?
Password database leaks turning into spam/proxy farms of very well aged accounts.
nonsense. any feature should have acceptable failure modes. blaming the customer for a fault they have no control over is not acceptable. many people know nothing about 2FA. it is not their responsibility. 2FA is a symptom of shitty designed systems which are inherently insecure and companies who dont give a shit about that and let their customers shoulder the burden by shoving complexity down their throats.
if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.
you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.
most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.
> many people know nothing about 2FA
That's why Google sent them multiple emails explaining what it is and recommending to turn it on. What else could Google do?
Not just turn it on without their approval.
Not force nonconsensual authentication methods onto users.
Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.
As for the banks I doubt it decreases security. Even SMS 2FA actually reduces fraud by 90%+ percent.
Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.
But even then having 2FA is 42 times better than not having it.
But then millions of users would stay unprotected from password sealing (see https://haveibeenpwned.com/).
They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.
Someone constantly adds my Gmail address as their Gmail account's backup address.
I constantly remove it whenever Gmail sends me the notification.
I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.
I have an "OG" mac.com account (got it about five minutes after Steve announced it). My wife actually has her first name.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
I logged in several times to other people's accounts and reset their passwords. But it's too tiring, people keep adding my email.
I hope it's because I have small simple email and not because they want to steal it.
Have you tried sending them emails asking/telling them to stop?
I’m a different person, but this happens to me, too. I have the kstrauser@yahoo.com email address because I signed up for it like 25 years ago. I log in every 6 months to see what the few other kstrausers in the world have signed me up for.
Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.
I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.
I have a catch-all on a .com.au domain where there exists a later 1000+ people organisation with the equivalent .gov.au. I get what you described but from many, many people - divorce proceedings, legal discussions, financial documents, health things, etc.
Yeah I have josephg@gmail. The amount of spam that account gets is wild - about 50-100 emails hit the inbox per day. I got soft-locked out of google docs a few months ago because my google account's 25gb quota was exhausted.
Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.
Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.
Send emails into that pit of PII misery if you want. I don't read them.
I had one that person seemed to think their @twitter name was the same thing as my gmail address. Haven't seen it in a while, maybe they figured it out after I told their kid's teacher they had the wrong person...
>You write an email that says "Hey, can you please stop using my email address?"
>You send it to johnsmith@gmail.com
>You receive a new message, it says "Hey, can you please stop using my email address?"
>You're johnsmith@gmail.com, you only know that's the address that's being used
PD: I know that if he resets the password he can get the other address, but this scenario was funny in my head.
That may be what they're hoping for, using a similar modus operandi as those WhatsApp/IM messages from strangers who text you with things in the vein of ‘Hey, it was great meeting you at the conference’ or ‘Did Martha like your flowers?’ etc.
They may well be looking for targets.
There are times where you just can't... someone uses my email address in person at tractor supply co. and I'm getting a ton of marketing email I can't usnsub to.
I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."
It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.
I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.
Contact the Bar Association for that lawyer's state. He will definitely stop making that mistake then.
You’re confessing to several actual felonies here, may want to change strategies.
Right. Techies are always quick to suggest I do something naughty or funny with this "great power" I've unwittingly gained, but in reality it's just a liability. If I ignore it and they do something nasty and implicate me, it's a pain. If I touch it with a 10 ft pole, now I'm even more actively involved.
Just include "not me!" In the verification email, dam it
“…and so I made him the owner of my account, and he used that to remove himself from it!”
“We’ll be right over.”
You forgot the part where he reset their email he didn't own and change their passwords so they couldn't get back into it
I think you’re misreading this. OP has an email account. Someone else signed up for some website that doesn’t verify that you own the address before allowing you to log in and use the service. If the site did verify it, the user wouldn’t have been able to log in because OP would have been getting the verification emails, and not the user.
Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.
I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.
One thing I've found, occasionally the hard way, is that helpful bystanders are always offering advice based on "ethical", "intuitive", "logical" and "common sense", usually without any aspect of "legal".
I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.
Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.
I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).
While true, I think that's implicit in all online conversations. I'm certain my thinking is 100% wrong in some jurisdictions elsewhere. Anything I say is wrong somewhere.
"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."
Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.
But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.
Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.
IANYL, though! Offering legal advice with the disclaimer “I am not a lawyer” could be prosecuted as practicing law if a reasonably party could still infer a potential lawyer-client relationship from your message and/or intent. Instead, “I am not your lawyer” explicitly denies the lawyer-client relationship, which closes the door on both being accused of practicing law illegally and on being found as party to a lawyer-client relationship whether or not you have the appropriate certifications.
> closes the door on [...] being accused of practicing law illegally
Does it? So I can say, "I'm not your lawyer, but I'm happy to go ahead and give you specific legal advice on your case." and I can't be accused of illegally practicing law? I was under the impression that this could still get you into hot water. But not being your lawyer, due to the fact that I am not a lawyer at all, I don't know if it is true or not.
IANAL, so take this with a grain of salt, but:
As with all things, who are you going to get in trouble with? And what's so magical about legal practice as opposed to, say, giving shitty medical advice or telling someone how to build porch? Asking genuinely. No one falls all over themselves to say "I am not a doctor, but...", even though their next words could kill someone. The implication is that they don't have formal training but they saw something on Facebook that you should try. What happens next is on you, not on them.
> No on falls all over themselves to say “I am not a doctor, but”
This is precisely why I’m pointing this out: IANAL is a very curious case of people self-labeling their statements as “not trustworthy for the topic”. I can think of perhaps no other cases where it is so popular to claim to not be a professional in the relevant field, which suggests that IANAL is a ‘badge of honor’ rather than a proper legal disclaimer. Certainly few (if any) claim IANAD before writing about their experiences with medical issues, body things, or nutritional supplements here, even though those topics are (as you correctly indicate) potentially lethal.
Thus, IANYL: if your goal is to ensure that the recipient of your advice / opinion / whatever does not have grounds to claim that you provided legal advice, and therefore are their lawyer, then you can either do so weakly with TINLA (“this is not legal advice”), which still leaves the door open for awkward claims by some desperate grifter-rando to reach a bench, or you can do so strongly with IANYL (“I am not your lawyer”), which closes that vulnerability in full.
Not once in years of using IANYL have I seen anyone else properly protect themselves from this vulnerability; meanwhile, “IANAL but” remains in use as a badge of honor. So, yeah, I don’t think anyone considers the particular avenue of vulnerability a serious threat, and yeah, the general context of IANAL here is prideful rather than protective. But after twenty years of dealing with a stalker who was adept at internet and tried to fuck with my job at one point, I do now tend to value closing off legal vulnerabilities with certainty, and as a bonus it doesn’t imply insult to the professions of law.
IANYL, YMMV :)
You give someone ownership of something and they used that ownership...
It's like leaving your bike in the street, with no lock. Still theft, but you'd be up for a part of the responsibility.
No, it's like giving someone a set of keys to your car, and they take it for a drive.
I think it’s more like you registered the car in their name. Now they’re allowed to use it, and also responsible for the thing which they didn’t want.
Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.
It's more like leaving your bike in someone else's garage.
I'm curious if this would really be considered unlawful access, since only pure idiocy and no hacking/scamming/etc were involved.
It would be in Canada, but our "misuse of computer" charge is overly broad and never been well tested.
On the other hand, in Hong Kong it would be straight to jail. Someone was sent a link by the airlines, he changed a couple of characters and it ended up showing another person’s data. The guy voluntarily reported the vulnerability and all he got was a criminal charge and found guilty
No harm done no one is gonna prosecute this
In what jurisdiction? He's in Russia
My Gmail account is a funny word in Spanish that I got when there was still plenty of names available.
I get TONS of emails of people trying to join services that use my address as a "fake email".
This happens to me several times a month. I'm more concerned about account termination, in that if their Gmail account is terminated for some reason, mine would be as well due to it being the backup email address.
You could try stealing theirs. Surely, one of the forgot-password flows must use the recovery email.
A couple of years ago someone associated my email with their bank account in Santander UK. I tried to get in touch with Santander but turned out that the only way to do so is to either make an international call (I don't live in UK) or send them a paper letter. I gave up and just routed these emails to separate folder.
I meticulously report every single of emails like this as spam. Every single one. If it _could_ be read as a phishing attempt, I report them as phishing.
Etc.
It's entirely on us as citizens to leaving them as pet peeves instead of crafting them into strategic law that makes them not only illegal but shunned. A little bit of structure goes a long way here.
I'm currently in the endless email loop because someone named Raymond used one of my Gmail names to register with State Farm. One of their agents even emails me directly when he gets really behind on his payments but won't do anything when I tell them it's the wrong email.
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
Malicious in-attention then, by the profit driven org? :)
If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.
What are you envisioning exactly?
Am I supposed to envision something?
When pointing out that legal parallels exist, to enact a solution, must I envision that solution?
Yes but bartenders overserving is a crime done by a working-class person and not a wealthy business.
What is the word for harming other people in order to make more money for yourself, if not "malicious"?
With AI these days it’d cost almost zero money. /s
A chronic problem is the idea that if something can't be automated with a human in the loop then it simply can't be done at scale. Technologists will do anything except employ humans to solve social problems.
s/technologists/venture capitalists/
I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
Any idea what the incentive is for them to put in an email address they can't access?
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
One way to do phishing attacks is to inject some payload in an automated mailing so malicious content comes from a valid email address. I wonder if they're testing whatever mail entry they can find with addresses they have access to in attempt to find something usable?
> The former presumably does not verify when I ignore it.
That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.
Ah the old "reverse identity theft".
Relevant xkcd:
https://xkcd.com/1279/
Yeah, I get the same regularly.
Smartly, I got firstnamemiddleinitiallastname@gmail.com. I never get anybody else' details.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
happens with apple products all the time
The point of the system is what it does.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
This is a catchy aphorism, but not really true. Things can be badly implemented so that they fail to achieve their purpose.
People often have trouble with this saying, and that trouble often boils down to the difference between intent and purpose.
The people who create a system have some intent for it. The system may or may not effectively achieve that intent, may or may not outlive the initial conditions that surrounded its creation, and may or may not have side effects.
Purpose is something humans assign. It is sometimes linked to intent. A carpenter's hammer is intended to drive and pull nails, and that is often also its purpose. The purpose of the hammer I keep in my basement is breaking open walnuts.
The phrase is stating that the purpose we should assign to systems when judging them is their outcome, and not the intent behind them.
> Either people who do this for a living have no clue how to do their job,
how naive. most of the world work to survive, not because its their dream vocation. they probably dont care as much as you do
The registrar relying on Google Safe Browsing as a “trigger” for suspension is the most horrifying thing I’ve seen in a while. This basically makes the entire TLD unviable for serious use.
It's the registry, not the registrar. I made a website that tries to help explain some of the lesser known nuances and risks relating to domains. The section about domain reclassification is based on first hand experience and is especially interesting IMO:
https://tldrisk.com/beyond-basics/reclassification/
> This basically makes the entire TLD unviable for serious use.
It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..
The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).
.online is one of the many TLDs that charge a dollar for registration but bump the price to $30-$35 for renewal. So far, this seems like a good signal to tell apart serious TLDs and ones just preying on customers who sort by cheapest (or capitalizing on one-off phishing domains).
I had a .fun domain that I was using to host a small project and they pulled that on me, I just let it expire and killed the project.
The followup from that would appear to be don't use any domain that Radix controls.
More generally, I think it's advisable to prefer the ccTLDs of places that are politically stable. And (IMO) to view com/net/org as defacto US ccTLDs (technically they aren't but for all practical purposes they might as well be).
Yeah this doesnt seem like a unique or new issue:
https://news.ycombinator.com/item?id=40195410
This is the real story. This is 100% a problem with Radix. Safe browsing targets the website not the domain. No reason a registrar should be suspending an entire account over something a company reports. Black-holing the A and CNAMEs on a subdomain? Maybe..... But even then I don't think it's the registrars place to do that. Freezing the entire account? Absolutely not.
Blackholing the a and cnames would prevent getting off the safe browsing list, as mentioned in the blog post.
Who said serious use is their business model though.
Registry, not registrar
Thanks, yes, even worse! The registry should act on only legal orders IMHO.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
That should be enough to trigger an antitrust case against Google and a split of its activities. When despite unrelated, it becomes the gatekeeper of your presence in internet.
Worth noting: emails from .online domain (and many other TLDs [1]) are also way more likely to end up in the spam folder.
https://www.spamhaus.org/reputation-statistics/gtlds/malware...
The TLD owner in this case was Radix, which also owns
.store .online .tech .site .fun .pw .host .press .space .uno .website
https://radix.website/
They seem to be almost always associated with scam sites.
So, might as well to block entire TLDs and never buy a domain under those TLDs
These alternative domains are quite popular with the fediverse and other hobbyist-run groups. Affordable domains with somewhat recognisable names still available.
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
> Affordable domains with somewhat recognisable names still available.
Aren't they only affordable for the first year though?
I don’t know about most of them, but I’ve used .pw for many years for most of my domains as pw is really cheap even on renewal.
My all time favorite Fediverse domain is jorts.horse. That’s the most delightfully random thing.
this looks exactly like every mastodon instance I ever saw.
The only .fun site I know is neal.fun, which regularly features on the front page here: https://news.ycombinator.com/from?site=neal.fun
I can also name https://beamng.tech/
That's just because they're relatively inexpensive
funnily enough, good.store which sounds like a made up example of a scam is actually a nonprofit ran by john green and his brother hank green
Only .info is missing for the bingo :)
Because they are very cheap. If you are a scammer, why pay $5 for a domain when you can buy one of these for $1.
I use them when I need a random domain.
> Because they are very cheap.
When I first bought an .online, it was not cheap
Well, dang. I've used a .tech as my personal domain and email for some years now, and didn't know this was owned by an obnoxious registry.
Despite blocking 66 TLDs and all IDN ccTLDs on my home dns I didn’t have these blocked. Guess I’ll consider it. Once you have the hagezi rpz files including threat information feed though you really have blocked most silliness.
> The domain ... has been suspended due to its blacklisting on Google Safe Browsing
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
Yet more monopolistic power to Google.
This is 100% on Radix, not on Google. Google and Microsoft can (and probably should) have a registry of known-abusive websites. False positives are inevitable, so these should be taken with a grain of salt, but in most cases they're correct. Their lists are a lot more reliable than those from the "traditional" antivirus/anti-scam vendors that will list anything remotely strange to pump up their numbers.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
Exactly what we predicted would happen (someone would eventually put "too much faith" on this list) has literally happened, and your defense is still "well it's not Google's fault, it's a 3rd party's!". Obviously the point is not that Google was going to do it, but that others would , analogue to the process known as "self-censorship".
Self censorship requires a threat or risk of detriment if the party doesn't self censor, right? Where is that here?
What Radix does has no impact on Google, and I don't see how Google would be incentivized to pressure Radix. So I don't see how to make the leap blaming Google for Radix's incompetence. Yes, Google should recognize the risk of this happening, but they'd have to balance that against the rewards (or at least what they consider rewards)
Google is making false statements about the safety of a domain and it has significant collateral damage. Google is the cause. They should be liable for losses.
I had my main family domain put on Google's safe browsing block list and it has a massive impact. No one can visit the site. I think apps using system browser runtimes (ie: mobile) may stop working. I've seen reports that it can impact email deliver-ability. And, now, we see that it can get your domain put on serverHold so the problem becomes impossible to rectify.
Google should have to pay for the damage. In my case, it was about 4h of work to figure out what was going on and how to fix it, so not much, but I've seen small businesses that rely on their primary domain to drive most of their sales via web and email. In those cases, having your domain placed on server hold because of Google's false statements can have a serious, detrimental financial effect.
That's fair, if your domain is erroneously put on the block list, Google should be liable for the consequences.
But my point is that any knock on effects like domain suspension, email deliver-ability, etc. stem from 3rd parties misusing the safe browsing list outside the scope of safe browsing.
I don't see how Google can be blamed for other companies erroneously treating the safe browsing list as a source of truth for generally malicious domains
> But my point is that any knock on effects like domain suspension, email deliver-ability, etc. stem from 3rd parties misusing the safe browsing list outside the scope of safe browsing.
That's fair and I agree. My opinion is that both should be liable in a case like this. If I had to attribute it, my starting point would be that Google is liable for the loss of website traffic and the registry is liable for the loss of email and all other lost services due to the domain suspension.
It spirals though because, like you pointed out, no one forced (ex:) Mozilla or Apple to adopt the blacklist. They did that voluntarily, so they should be responsible for their share. That's why nothing ever gets fixed. It's broken, but there's so much potential for finger pointing that no one gets pinned down and held responsible.
The answer is always the same IMO. Break up big tech companies into a million little pieces.
A lot of laws use the phrase "known, or should have known"
Google should not have known that someone would misuse their block list to block domains. But now that someone is misusing their block list to block domains, if someone brings it to their attention, the next time this happens, they will have known it.
I am not a lawyer, I am not your lawyer, and this is not legal advice.
I read your comment as agreeing with the article: "Never buy a .online domain".
And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.
> But Google was at fault for not correcting their blacklist.
If all it takes to be taken from the blacklist was to temporarily delete the NS record - the list would be useless against malware.
Wym mean external people aren't these lists integrated to the browsers? I'm sure if you try to open a website from this list your browser won't let you and I'll put a big warning sign
What is to stop Google et. al. from also adding a lot of excess domains to pump up there numbers?
What is to stop everyone from doing this blacklisting?
Google doesn't sell their list to you. They give it to you for free. Using their list costs them money. Pumping up numbers gains them nothing but the headache of PR issues when they get a false positive.
Spyware filters used to boast about how many domains they filter out because they wanted you to buy their filters instead of someone else's. By the time they hit a false positive, they've already sold a year's subscription to that customer.
The incentives are different.
Step 1: Get everyone to use your free internet filter
Step 2: Alter filters to mark newly-registered domains and low-traffic websites as "potentially harmful".
Step 3: Charge a lot of money for "business verification" - which gives them a fancy badge somewhere and incidentally makes their website trustworthy in the eyes of your filter.
Step 4: Profit!
The Big Tech cartel has been doing this pretty successfully with email (see the weekly "Don't self-host your email" posts), why should we assume they are doing anything different with browser-based website blocking?
>pretty successfully with email
Indeed. I was going to register an account somewhere the other day, and the signup form had a list of acceptable email domains. Gmail, Protonmail, Outlook, Yahoo, Icloud... a few others. It's not the first time that's happened to me. Sad.
EDIT: Didn't even include Fastmail, who's pretty big after all. They host MX for my domain, so I could have "circumvented" it that way with their disposable address feature, but nope.
I've found that, whenever considering Google's actions and incentives, you need to remember two things:
- They make almost all their money on advertising
- They have deep ties to the US intelligence agencies (To the point that a Google employee managed the appointment calendar for our Secretary of State a few years ago!)
So, how would these incentives apply to their Internet blacklist?
- If you are parking lots of Google ad spam, they are taking a cut of your revenue, so they have an incentive to take you off the list (evidence and testimony from the antitrust trial documented ongoing fraud in every layer of Google's vertical ad monopoly)
- If you are hosting something the intelligence agencies dislike / are neutral to / like, that'll impact your presence on the list.
Not true. Commercial or large scale use requires you to use their Web Risk API instead which is a paid service
> Pumping up numbers gains them nothing but the headache of PR issues when they get a false positive
There is also the headache of PR issues when they get a false NEGATIVE. “Google didn’t protect grandma from this scam website!”
Google wants you to use it. If it blacklists excess domains that hold legitimate sites, their product gets worse. If they blacklist illegitimate sites, their product gets better.
This argument would hold more weight if Google didn't have a history of making their own products worse and then getting rid of them.
Cute. That is the commenter’s whole point about monopolies. Google is on record making their product worse to squeeze revenue. We’ve been living in the enshitification economy.
There is a financial incentive to make the search results worse. (More searches, more ads, more money.)
There is no incentive for adding false positives to lists of malicious websites.
Sure, until their "smart filters" start considering GCP-hosted websites as pre-verified and small self-hosted websites as malicious. You know, like they have been doing with email?
Chrome is big enough that a website owner can't afford a false positive on their malware list, just like they can't afford to have all their email end up in spam for all Gmail users.
Due to their near-monopoly Google also has no incentive to avoid adding false positives to their blocklist - provided they don't accidentally block high-profile targets. And if a CxO is screaming over your shoulder that your website has been blocked, arguments about "false positives" aren't very compelling: they'll just demand you move off the "shitty basement provider" and switch to "proper hosting, like the Google Cloud"...
> We’ve been living in the enshitification economy.
that whiny bullshit about somebody elses website? you dont have to rely on a website or app. either you need their monopoly because you cant do it yourself, or you have options.... in both cases the whining is not needed
Same as for those antiviruses.
Nobody sees Google's numbers except Google... in other words, the numbers are not a sales tool for Google like they are for anti-virus/blocking companies. So, there's no reason for Google to pump up their numbers, it would just be extra work to make their product worse which wouldn't make sense.
Nothing, but they haven't done it so far, and they don't really have any incentive to do so.
It doesn't really matter that it's Google. It could have been Microsoft, or PAN, or McAfee or some fly-by-night vendor. The problem was Radix taking the list as iron-clad truth and disabling the domain without any notification or way to resolve the issue.
Google’s allowed to have an opinion. But that doesn’t mean that the registrar should be suspending the domain immediately in response. These two mechanisms should be decoupled.
Google should not be allowed to make libelous statements without consequences.
How is any kind of antivirus or threat detection software supposed to operate on this standard?
Libel suits can be financially catastrophic, so even a tiny false positive rate could present risk that disincentivizes producing such software at all.
And a threat detection mechanism that has a 0.0% false positive rate is conservative to the point of being nearly useless.
I think that is the idea. They shouldn't exist without a prompt mitigation path.
In other words, if you can't deal with the false positives in a timely manner. You SHOULD be liable for the damages.
I can't build a budget car put together in an unsafe manner. Then complain I can't compete due to all the peoples cars crashing and blowing up and suing me.
You document your claims with concrete evidence of fraud. That will be your libel defense. No evidence means you bear the full responsibility of a fuckup.
At internet scale, this would roughly be equivalent to not doing any warning or detection at all.
Scalable systems need to use heuristics to catch threats. Needing concrete evidence in every case means that an enormously higher amount of malicious resources will not be flagged.
There is a policy argument as to the right balance of concerns here. But there is a clear trade-off to make.
Then that heuristic is your evidence in court. If it's a good heuristic, you win the case. If it's a bad heuristic, you lose the case.
"Your Honor, we banned this person's website because his web page contained the word 'bitcoin' more than 5 times" will not hold up.
"Your Honor, we banned this person's website because it contains a bitcoin miner script. See, here is the script, and it matches the hash value found in these other attacks" hopefully holds up.
> Needing concrete evidence in every case means that an enormously higher amount of malicious resources will not be flagged.
Giving everyone a fair trial just doesn't scale. It costs too much.
(IAAL but this is not legal advice.)
It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.
> Marking a website as “unsafe” is an opinion.
No, it's not.
You're welcome to cite case law if you want to insist. Otherwise, unsafe (in the context of infosec) has a definition of likely or able to cause harm or malfunction. Something that is provable or falsifiable with evidence.
I'm curious as to how you would prove that it would be impossible for any resource accessible under a given DNS domain to ever cause harm to anyone else.
You don't. Google has to prove that something on that domain can cause harm.
Isn't "oops we made a mistake" actually a valid defense to libel in most US states? I thought you had to prove it was intentional to some extent? Or reckless/negligent IANAL
Google takes no action to review the reports that their warnings are false until you sign up for Google products (namely - registering the site in their search console).
I reported a falsely flagged site repeatedly for weeks with absolutely no action from them.
Mozilla and Microsoft both did actually remove the warnings after the reports (Edge and Firefox stopped displaying the warning). Google did not. Google strong armed me into registering for google products, like a fucking bastard of a company.
This was the moment I went from "I don't love google anymore" to "Google can get fucked".
I wish them bankruptcy and every damn legal consequence that is possible to enforce.
I'm not defending google, I'm just wondering if claiming libel is barking up the wrong legal tree.
"I believed it to be true" is a defense. But negligence isn't. In fact, that is usually what you want to prove, that they acted on things that a reasonable person (or a person that is supposed to be skilled in that field) can see is not true.
Negligence is an element of the tort of defamation.
Whether that's true or not is irrelevant if it's defined by law differently. Even without case law and precedent you'd still have to test it in court, which for libel can be prohibitively expensive.
For clarity I'm not agreeing or disagreeing, but what means sense to the layperson (including experts in a particular field) is sometimes at odds with what the law says.
Google is stating in a position of authority. It's therefore being stated as at least a professional opinion with the equivalent weight of fact, or representing facts.
If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
Not to mention that the whole point of the list is for blocking in e.g. web browsers. Claiming it is just an opinion would be like a mobster claiming they didn't actually order a hit.
> If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
I agree with this! The registrar should not have triggered a suspension because of this. They're not obligated to, and the two processes should be decoupled.
The registrar should ignore reports of abuse, especially if coming from an authoritative source with vast resources that's been collecting reports on its own?
No.
The source should be more careful. It's the equivalent of a renowned newspaper printing warning a restaurant being unsafe to visit. Should the customers' willingness to visit be magically decoupled from this opinion?
It's like a renowned newspaper saying the restaurant is unsafe, and then also the restaurant's landlord taking it at face value and locking the doors without further investigation. Both can be wrong.
> The registrar should ignore reports of abuse, especially if coming from an authoritative source with vast resources that's been collecting reports on its own?
I'm not saying they should "ignore" reports of abuse but treat them as they are -- reports. They can then perform their own independent investigation.
That may well have happened here. I suspect the author isn't telling us something.
Depends on jurisdiction. In the UK it's not an absolute defence, you still have to prove it's an opinion a "reasonable person" could come to based on facts.
How is it any more of an opinion to "mark" a website as "unsafe" than say, "contains CSAM"?
“contains CSAM” is likely an unarguable fact.
“unsafe” is a term that is both broader and more vague, so I would consider it opinion unless backed up by appropriate facts (like “contains CSAM”, “contains malware”, and so forth).
> “contains CSAM” is likely an unarguable fact.
Except when it isn't. CSAM may be easier to define and identify than pornography, but there still exists material that treads a moral grey area.
One is disprovable, the other is not.
Maybe libel is the wrong term, but erroneously marking a website as unsafe can lead to damages.
Only if it’s intentional (or maybe grossly negligent).
Google is grossly negligent
As someone who has also been bit by this, and with the only possible resolution being that I sign up for google services and register my site with them in the google search dashboard...
Fuck Google.
This is absolutely libel. They put a big fucking red banner on top of my site, telling the world that it's unsafe, using all the authority they have as one of the largest tech companies in the world.
In my case - it was a jellyfin instance I'd stood up to host family videos of my kids for my parents.
It was not compromised, and showed only a login page. I reported it as a false flag repeatedly, for weeks, with Google doing jack fucking shit.
Only after signing up in their search console and registering the site did the warning disappear.
They are abusively forcing people into their products. Fuck Google.
In case it wasn't entirely clear - Google can get fucked. Fuck Google.
There’s nothing wrong with your dislike of Google. No matter how much you dislike them, though, the word “libel” has a meaning that should be respected. To opine that a site is unsafe is simply not libelous.
It's libelous in Germany unless you can prove it's true. In fact people regularly get punished in Germany for things like calling politicians idiots, because they can't prove they are idiots. https://www.ft.com/content/27626fa8-3379-4b69-891d-379401675...
That depends on jurisdiction. E.g. in South Korea true statements can constitute defamation too
That sounds like a spurious distinction. Pretty sure you can’t say “Person X is a murderer” and then say “well I’m only expressing my opinion, and in my opinion if you do something that annoys me that qualifies as murder.”
Nope, not in the US. It is perfectly legal to say, for example, "Kyle Rittenhouse is a murderer" despite him being acquitted. You're entirely free to disagree with the result, that is an opinion. Any opinion based on public knowledge is ok. It doesn't even have to be reasonable or rational.
What you can't do is imply non-public knowledge, aka "I heard from my cousin who works in law enforcement that Kyle murdered a hobo when he was 12 but the records were sealed", or state specific facts that can be proven true or false: "Kyle murdered a hobo on September 11, 2018 out back of the 7-11 in Gainesville, FL"
The standard for libel/slander is much, much higher than people think. It's extremely difficult to meet them, and for public figures, it's almost impossible.
> It is perfectly legal to say, for example, "Kyle Rittenhouse is a murderer" despite him being acquitted.
That's ... not quite true. I wouldn't go that far.
Sure it is, that's how the 1A works. Saying he was convicted of murder is not true, but calling him a murderer is an opinion. Your opinion doesn't even have to be reasonable. It just has to be based on facts that both you and I have.
1A rights are construed really broadly. The courts don't do the 'he wasn't legally convicted therefore it's illegal to call him one' thing.
If that were true, news organizations wouldn't be as careful as they are to preface the word "alleged" before the behavior -- before or after a trial. I don't think you'll find any reputable commercial newsgathering organization that makes a plain statement that Kyle Rittenhouse is a murderer.
The First Amendment doesn't protect the speaker against all forms of defamation (though it does put some barriers up that make it harder to win in some circumstances). If it did, defamation as a cause of action wouldn't exist at all.
As a practical matter, though, this is largely theoretical. Once you've been through the rigamarole of arrest, prosecution, and trial, even if you're found not guilty of the crimes committed, the reputational damage is just too widespread. You're not going to go after the defamers: there are just too many, and if you tried, there would be a fair question as to whether you have any positive reputation left to injure. Your life is pretty much ruined. It's a pretty terrible situation for the wrongly accused.
In my opinion, a .online domain is unsafe. 99% of people only visit ".com"s unless they clicked a scam link. Completely blocking the site is overkill, but the browser should warn you about it like it does with non-SSL sites.
thanks for the laugh. Even if you only meant people from the US this is likely not true. What about government websites at .gov? 99% never visit them?
In other countries local TLDs are of course normal (e.g. .it for Italy, .za for South Africa, .cn for China...) and not only used for scam links.
What? I find myself on .net-s and .org-s all the time. For example... Wikipedia is .org. Do 99% of people not visit Wikipedia?
They should be held legally culpable for libellous claims they make.
I dont care if their pre-LLM ai says "thingy bad". They are responsible for the scripts or black boxes they control. I dont care if they dont give a reason.
Claiming bad/malicious/etc site is 100% libel. And doubly so, anybody who has been forced to agree to a ToS with binding arbitration should have it removed for libel.
> Claiming bad/malicious/etc site is 100% libel.
No it isn't. https://www.law.cornell.edu/wex/defamation
Please, use words correctly.
The words in your link do not support the words in your comment. Don't be snarky unless you are certain you're correct.
> a plaintiff must show four things: 1) a false statement purporting to be fact; 2) publication or communication of that statement to a third person; 3) fault amounting to at least negligence; and 4) damages, or some harm caused to the reputation of the person or entity who is the subject of the statement.
They falsely marked the site unsafe[1] on a published list[2], the results weren't checked and couldn't be appealed[3] and OPs site was taken down[4].
Sounds textbook to me.
It does. "Unsafe" is not a fact, it's an opinion.
"When Google marks a site as "unsafe" or "dangerous" in Chrome or search results, it is a factual finding based on automated detection of specific, technical security threats, rather than a subjective opinion. These warnings are triggered by Google’s Safe Browsing technology, which scans billions of URLs daily to protect users from malicious content"
Opinions and facts in a legal context usually comes down to who is saying what. Someone personally says "this soup is bad" on a review site = opinion. A news site plastering it on their front page = fact.
A person saying something as an individual is usually considered an opinion. A company doesn't have that same protection.
> "When Google marks a site as "unsafe" or "dangerous" in Chrome or search results, it is a factual finding based on automated detection of specific, technical security threats, rather than a subjective opinion. These warnings are triggered by Google’s Safe Browsing technology, which scans billions of URLs daily to protect users from malicious content"
Whom are you quoting here? A court opinion?
Nope. Not correct. Companies have the same 1A rights, too.
In the US, it really doesn't matter who says it, the only thing that matters is who it's being said about.
If you are a "public figure" -- which is a much broader category in 1A law than you think -- then in order to prove defamation, you have to prove the thing was false _and_ that the person saying it knew it was false at the time. Not that they were mistaken, not that they were careless, not that they knew later, they deliberately lied and knew they lied as they said it.
If your next question is "how do you prove what someone was thinking", then yes. That is the reason it's nearly impossible.
Not talking about 1A rights or public figures. We are talking about
Opinions (Protected) vs Facts (Not Protected)
Defamation cases where individuals say something are usually considered opinions and companies are usually considered facts in the eyes of the courts. I say "Usually"
Defamation also DOES NOT require intent, but it requires a minimum level of fault (negligence)
Google saying something is unsafe in the web search or browser would not be considered an opinion because of their position of authority. It would not even be a debate since Google has already said they make decisions based on facts and data presented to them.
The only question is are they negligent in their assessment or response to a false report. And what would be the damages. In the case of a phishing report that is false courts would already consider it defamation per se (damages presumed)
> Google saying something is unsafe in the web search or browser would not be considered an opinion because of their position of authority.
Everything the Supreme Court rules is an "opinion." And they're the ultimate arbiter of legal questions in the U.S.
Whether a statement is a fact and whether the person who said it is considered an "authority" or not are independent concerns.
We are absolutely talking about the 1A lol. Defamation is 1A law. It is one of the few recognized exceptions to the 1A.
And we are also 100% talking about public figures. "Public figures" include companies and it's a critical part of 1A since Times v Sullivan.
Google is a US company and has 1A rights. That's how it works. The rest of what you said is nonsense and is your idea of how it should work, but has nothing to do with how it actually works.
To be more accurate, defamation is civil tort law, circumscribed by the First Amendment. (Defamation as a cause of action is quite old, reaching back to our English common law roots, and goes back further in history, I believe.)
How was this Google’s fault? Seems clearly like Radix’s fault.
If a newspaper publishes a false story about a business and someone takes it upon themselves to attack the business, it's partially the newspaper's fault.
If a newspaper publishes a story about a business and someone takes it upon themselves to attack the business, the attacker is at fault, regardless of the veracity of the newspapers claims.
I am in Canada, but I think it is the same in the US? A newspaper can be responsible here. For example, if they say "people should riot" and a riot happens, the newspaper could be responsible for all actions that resulted the same as if they were the ones doing the crime.
Same with if they become aware of defamation and fail to retract and make a statement. But newspapers will generally also thoroughly investigate themselves to make sure what they are publishing is true.
It is not the same in the U.S. (And, to be honest, I'm quite doubtful this is true in Canada, though I could be persuaded through legal citations that it is.)
It's both's fault. Google for making false and clearly damaging statements (libel) and Radix for acting on them.
(IAAL but this is not legal advice.)
It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.
I always wonder what the settlement and damages would be if google marked Amazon as a phishing site for even a few minutes.
The problem is that these gatekeepers of the internet respond to false statements of facts/opinions by so called professionals.
I had cloudflare mark a worker as phishing because a AI "security company" thought my 301 redirect to their clients website was somehow malicious. (url redirects are normal affiliate things)
If the professionals don't understand the difference and cloudflare and google blindly block things, this is scary.
There is a potentially different cause of action, tortious interference with business relationships. It does require that the defendant intended to interfere in a way that would cause harm to the plaintiff, though. Proving Google intended such harm would be difficult and expensive.
Google intends harm to everyone on that list. That's the point of the list. Google is unlikely to have intended this specific harm, but they don't have to.
That won’t cut it in court.
Marking a website as "unsafe" in Chrome is equal to standing in front of the door of a small restaurant and blocking 71% of people going inside. Everyone first has to agree that they will enter the restaurant at their own risk.
That is more than an opinion. Chrome has a monopoly and should act accordingly. Blocking entry to a website should be a last resort, not just because someone didn't add their website to the whitelist.
Yeah. Everyone uses their list and being blocked by all web browsers is like having someone cover the doorway with a massive DANGER sign. It's insane that people are roaming around here arguing that it's ok because the damage caused is a necessity for "internet scale".
Right now, any damages are completely speculative at this point. I would suspect in this case, the damages are minimal, and taken in the broader context, the good outweighs the harm. Do you have evidence to the contrary?
Indeed. It is almost like how the Mafia operates. This person didn't submit his website to Google and now Google blocks visitors.
It's being stated as fact, not as an opinion.
(IANAL) It's not about how it's stated, but whether it can be objectively proven to be true or false. "unsafe" refers to the likelihood of something bad happening in the future. You can't prove that something bad will happen in the future, so it's opinion.
Also not a lawyer, but that makes intuitive sense. If I say "that food tastes bad", it's phrased as a fact, but a "reasonable person" (which is in fact a legal test used for some things, although I admit I'm not sure about libel) knows that there's an implicit "...to me" qualifier because the concept of taste itself is inherently subjective. My instinct is that while there are some things everyone would agree on as unsafe, it pretty quickly turns into a judgment call, and it probably makes sense to allow even ill-informed opinions that are made in good faith rather than malice or negligence. The question then becomes whether there's sufficient evidence to conclude something like that, and while the bar is lower for a libel claim than something criminal, it's still not obvious this would be provable here.
"Unsafe" is just a terribly vague word, too. As a layman, I wouldn't even know what that means with respect to a web site. What's "unsafe" about it? Is it going to shoot my dog? Is it going to drain my bank account? Is it going to give my computer a virus? Saying a web site is "unsafe" really isn't providing any interesting information, and it shouldn't be acted upon by pretty much anyone.
I agree that it’s not specific, but I disagree that it should be blindly ignored. It’s not like they have no reason whatsoever for their opinion.
This seems like a distinction without difference, given everyone in the ecosystem takes that "opinion" as true fact, including the market-leading browser produced by the "opinion"-haver.
I get that's mostly what corporate lawyers argue about, but it's functionally dishonest in this case.
That's like a business being dissolved because it got a bad rating from BBB. Absolutely insane.
That is the bit that jumped at me immediately too. Why would a registrar take it upon itself to suspend a domain that another entity entirely blacklisted as part of their own completely opaque process? Who is Google? God?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
It's like being unable to get a passport because Microsoft has you on The List, and Microsoft needs to see your passport to check why you're on the list.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
You know it's getting bad out there when corporations act like the government.
It's like the domain registrar is acting like a vassal state. I don't think Google actually has any say in their decision.
> Why would a registrar take it upon itself to
Because keeping Google happy or at least not bothered is an existential priority for registrars
I am suspecting something like this too but what is the mechanism by which Google would have influence on the registrar? As far as they are concerned the domain is gone from their index.
Well until a human can verify.
Which likely is slow without a poke it's reasonable to base the decision on whats available.
That's just how reputation works.
It doesn't sound reasonable to me at all. Why would we think that the reasons google blacklists a domain would align perfectly with reasons a domain name would be suspended? In the end they don't seem to agree already since the domain was unsuspended. Who knows why it was blacklisted by google? Even the decision to unsuspend it looks arbitrary.
and anyone that trusts googles judgement here clearly needs a reputation of their own
Should domain name matter? Or this applicable to any domain?
Where did you do the warning?
So never buy tlds managed by Radix then ; what a crazy thing to kill domains that are blacklisted by Google AI...
I wonder if Radix has unknowingly created a negative feedback loop here. From Google's perspective, the DNS records disappear shortly after being flagged by Safe Browsing, which their heuristics may interpret as scammy behavior.
It's not about the .online TLD being "weird". The problem is that it was free. That's going to attract a swarm of fraudsters, spammers, etc, and then turn into a strong "this is probably fraud" signal in all kinds of fraud scoring systems.
There are lots of domains out there other than .com that are just fine.
.online, .top, .xyz. info and .shop are some of the top TLDs that scammers use, precisely because of their rock bottom registrar fees that make them attractive for sites that have a shelf life of a few hours or a few days before being blocked. As a result, many places have a blanket "suspicious" flag for fresh domains under these TLDs.
If you plan on building a legit site, do not use any of these cheap TLDs.
Paying through the nose for a .com that is remotely memorable and easy to spell is not a great path forward for a hobbyist or someone who simply wants their own domain for email.
I know someone with a .org domain, and even they have a ton of issues with false flags on their emails due to not coming from a big email provider. They’ve been blacklisted a couple times and regularly get flagged as spam. I’m surprised he hasn’t given up after dealing with this stuff for 25 years.
These new TLDs, I thought, were supposed to open up more options for regular people to get a domain that is semi-decent. Instead they’re essentially useless. Some of the prices are also still insane, due to assumed “premium” status or domain squatters.
There has to be a better way to police this stuff.
Probably this is what's happened here. Either the OP's domain was previously used for shady activities, or the almost-free stigma puts the whole .TLD in the grey list of high-risk assets. Probably is also explains the nuclear behavior of the registrar (suspension).
Free is good, but sometimes it's not.
Side note: My empirical experience is that vanity domains are disliked by some enterprise security systems. I have a friend who owns a .homes domain which ended up being blocked by quad9 as well as the enterprise security system of a friend's work for ~half a year. The block cleared by itself.
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
Even (uncommon) country TLD's too. I own a .vg domain which is a perfect match with the initials of my last name. My mails end up in spam quite often too, despite having set up SPF, DKIM, DMARC and all that stuff correctly. It's just not common so some security systems block it.
It's not just about being common, it's also about the share of abuse coming from such domains.
Or just incompetence, I had to lobby to get .org unblocked for mail at some CS faculty of a (not my) university, 20 years ago.
Usually not, just look at for example SpamHaus's top abusive TLDs. New TLDs dominate.
Fortinet blocks new domains by default so I can never check out cool new projects on the front page when I'm procrastinating nowadays :(
This does unfortunately actually work pretty well as a security measure. The new domains that are cheap and good for fun side projects, are also cheap for scammers.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
Because the entire security mechanism of the www today is "look at the domain name to make sure it matches." And the TLD is at the end where people might miss it.
I still remember how Google banned my entire account without providing a reason for a small Android app (more than 12 years ago). To this day I have no idea why, it was absolutely green-area fit tracker or something. There was absolutely no way to know the reason or unblock my account. Turned me away from Android development forever.
They want to make this the only way to run apps on Android too.
A relative’s business has had Google reviews frozen for years. Search results show the bad rating after some former customer and spouse left bad reviews several years ago. Appeal went into a black hole. Running a small business is at the pleasure of Silicon Valley.
Check with a lawyer if this counts as tortious interference. You could potentially win quite a large sum from Google.
Same shit happend to me - got my google account blocked overnight and locked out of most of my digital life. Learned my lesson and ungoogled asap.
One conclusion is:
> Not adding the domain to Google Search Console immediately.
I don't understand. What is Google Search Console, and should I add all my domains there right now?
https://search.google.com/search-console
And yes, you probably should, if only to pre-register your ownership thereof if google ever decides to nuke you from orbit
But if Google decides to nuke me from orbit, and my domain is registered there, the nuke can cross between my domain and my Google account.
Well, yeah, that's digital monopolies for you. I guess one can always create a dedicated google account to register each site with
It doesn't work, there was a Google employee here mentioning they assign a degree of separation to each account, any accounts that are deemed "close", are included when the ban hammer falls.
Google ties your accounts together on the backend though if they realise they're related, so this isn't as easy as it sounds.
If it's already in the Console when it gets blacklisted, you can appeal it without having to 'verify' ownership of the domain that, in this case, you no longer control the DNS of, because you completed that process when adding it to Console.
> I don't understand. What is Google Search Console, and should I add all my domains there right now?
Google's way of tying real identifies of people to domains, without making it explicit.
Basically, your domain will be weirdly treated by a bunch of entities, none the less Google themselves, if you don't add your domain there (or some other Google property).
Especially with less common TLDs, like .online, they really want to be able to tie it to some identity, so unless you add it there, eventually your domain ends up on some sort of blacklist, in the case of the author it seems they used the "Google Safe Browsing" blacklist to get the author to involve Google somehow.
Open a fake Google account under your dog's name using a VPN? It doesn't have to be tied to your own every day Goog acct. Any old account will do.
To request a formal review, you must be a verified owner in Search Console.
Can't answer if you should add them or not...
But if you do - you would get some notifications from Google about that website/domain.
I've only ever seen emails of the "There's an increase in 4xx/5xx errors on site/page(s)"
I also get “there were crawl errors”, which upon investigation are for pages that never existed (and I’ve owned the domain for 20 years, so its not a previous owner/operator thing)
https://search.google.com/search-console/about. Yes. It gives you options in cases as described here.
Was called webmastertools before.
By adding your site to there you can get data on how many clicks & impressions your site received on google, what keywords it ranks for etc.
You can also request Google to index your site on GSC as well.
You should probably add your websites to GSC.
We posted this warning on HN before: https://news.ycombinator.com/item?id=40195410
We struggled a lot when we opted for the .online domain for https://pinggy.io urls
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
I'm not particularly familiar with SEO or the massive black box that is Google Search - is this really as critical as the author makes it seem? I have both .lol and .party domains, both through porkbun (and the TLDs seem to be administrated by Uniregistry and Famous Four Media, respectively), and both are able to be found on Google Search. It seems like this preemtive blacklisting would be the result of some heuristics on Google's end; is .online just one of the "cursed" TLDs like .tk?
> is this really as critical as the author makes it seem?
It is critical in the sense that if you want to appeal the decision in a case like this, it will go much better if you pre-verified that you own the domain.
(I don't think it has much effect on google search placement at all)
Yeah I'm guessing the TLD was the main signal, based on other comments linking to a thread about "Pinggy", who was also using a .online. The fact that Namecheap is giving them out for free means they probably are more scammy on average.
I've also never added domains to Google Search Console and haven't had blacklisting issue other than with a free .ml (another "cursed" TLD) site that was by default assumed to be spam by Facebook Messenger.
It's unfortunate that this category exists, but I don't share the OP's .com purism; I've used a mix of TLDs and even the cheap ones like .fyi and .cc haven't come under extra scrutiny as far as I can tell.
Domains are signaling. If you have a .online domain you are signaling you can't afford the equivalent .com domain. All the TLD annoyance is a consequence of the lack of status pressure ameliorating the experience of those domain holders (in the same way you never see public health crises in rich neighborhoods)
If you have a .online domain you are signaling you can't afford the equivalent .com domain.
Or don't want to pay a $2k ransom to a name squatter... For some businesses that is a rounding error (saas, other high volume high margin stuff), but for small businesses like restaurants or event planners, spending that much on a domain name would be foolish.
It sucks so much that there is no standard way of linking additional domains to your main one and inheriting the reputation.
Want to set up a new domain for whatever purposes (conference, new product, etc)? Be prepared to spend the first half a year fighting the various blacklists before people can actually reliably connect.
Would make so much sense if you could just have a .well-known/other-domains.txt (or something something DNS) with a list of domain names that should be considered just as trustworthy as your main domain.
It's not even about .online or other weird TLDs, it's just that the domain is new and therefore "not trustworthy". Even worse if you need to use your existing branding on the new domain - instantly flagged as a phishing site everywhere.
We need to rethink the web so that fewer third parties are involved in things that seem on the surface to be an A-B conversation. To say nothing of the trustworthiness of those parties, having them involved at all is needlessly brittle.
Morale of the story: never ever use a registry that bases its decisions on Google Safe Browsing. Radix in this case. A very modern looking website for a really caveman support.
There's no way to know this until it happens to you or someone else.
Does anybody know any good alternative to Name Cheap? It seems like they keep raising prices on all the domains. Website is very sluggish, especially for finding domains quickly.
The AWS registrar is actually not bad.
cloudflare is the cheapest - they do it at cost.
Wow, thanks. You were right. I Googled and it says Cloudflare is cheaper by twenty-five to fifty percent on renewals. I'm really sick of namecheap. They seem to never stop raising prices. but I'm also I'm kinda wary and afraid of moving domains and losing it.
Cloudflare is doing the enshittification strategy, enticing you now, and then extracting value later. You don't want your domains to be in Cloudflare when they lock the gates. If it's a temporary domain, go ahead I suppose.
But was this because it's .online? I got one and it was fine.
The only issue was the usual trap with all Namecheap domains: They tell you it's all set, and it works, until they randomly email you a week later asking for email verification. If you don't do that promptly, they suspend your domain until you trigger a resend. Which is easy to fix but also strange.
The blog post details that the TLD registry, Radix, decided that getting put on Google's safe browsing list means they put a serverhold on your domain, which prevents you from getting off the safe browsing list.
So yes, this appears to be a TLD- (or at least registry-) specific issue.
Unfortunate story. It wasn't clear to me that the .online TLD led to Google blacklisting the site. Why did you think that was connected?
The problem isn't Google Safe Search backlisting the side (I mean that also is a problem, but a very different one).
The problem is the vanity domain registrar Radix using that as a reason to _put the whole domain on hold, including all subdomains, email entries etc._
This means:
- no way to fix accidental wrong "safe search" blacklisting
- if it was your main domain no mails with all the things it entails
- no way to redirect API servers, apps etc. to a different domain. In general it's not just the website which it's down it's all app, APIs, or anything you had on that domain
Google Safe search is meant to help keep chrome users safe from phishing etc. it is fundamentally not designed to be a Authority Institute which can unilaterally dictate which domains are no longer usable at all.
Like basically what Radix did was a full domain take down of the kind you normally need a judge order for... cause by a safe browsing helper service misfiring. That is is RALLY bad, and they refuse to fix their mistake, too.
You normally don't have _that_ level of fundamentally broken internal processes absurdity with the more reputable TLD operators (which doesn't mean you don't have that in edge cases, but this isn't an edge case this is there standard policy).
At the same time given the already terrible reputation of such vanity TLDs, being this hard on abuse might be the only survivable way.
That's not me saying there shouldn't be a warning and a recourse, but the time-to-profit for domain abuse is really short so anti-abuse actions have to be quick.
This isn't being hard on abuse though, this is being lazy and incompetent.
I'm fairly sure that Safe Browsing's false-positive rate is extremely low otherwise it'd be unusable in Chrome. Which also means that acting on positive results is very likely a correct approach.
Safe browsing is meant for websites, not domain names. You really want your registry acting on it and nuking your email services, intranet services, cert renewal automation, et cetera?
My understanding from the article is that because the registrar for this domain is using Google safe browsing for their domain suspension, something that a) shouldn't be the case and b) isn't the case for other, perhaps more mainstream TLDs
Right. Sounds more like a registrar problem than a TLD problem. They should change the article title to "Never buy a domain from Radix"
Radix is the registry for .online, not the registrar they bought the domain from.
The registrar suspense domain because it on Google blocked list. And Google refuse to review the ban because he can't prove he own that domain (because it suspended :D).
The first mistake anyone makes is thinking they are “buying” anything with a domain. You’re renting it. And the company you are renting from can arbitrarily push up the price above inflation. NameCheap is good for the basics. But a .site or .online domain is a no-go beyond an MVP/test.
I'm sorry that the author got bitten by this. But .com purism is funny to me. I only buy GTLDs for personal projects, and I've never had a problem before. But then, I've never bought .online.
Are there any other TLDs that are of this ilk or are we saying nothing but .com will ever do? Or .org, perhaps?
.com, .org have legacy contracts eliminating the shenanigans they can pull. .org did try get out of restrictions on hiking the price on renewals, but weren’t successful. So all my domains are either .com, .org or the TLD for the country where I live (of course, how trustworthy your local ccTLD is varies)
It's not exactly the same, but a lot of owners of weird TLDs have got hit with insane renewal fees,.hosting went from $20/y to $300/y overnight.
Also, some TLDs directly speculate on having very low prices for the first year or two, then 10x it on year 2 or 3.
Buy all 10 years you can when you get the domain. Renew yearly. When they pull silliness like this you have at least 9 years to migrate.
I would love a list of Radix TLDs or registrars who do this Safe Browsing ban with no appeal.
Also, go figure Namecheap works with these morons.
from their site (radix.website):
.store, .online, .tech, .site, .fun, .pw, .host, .press, .space, .uno, .website
not sure about other registrars
The ones used by freenom were particularly abused:
https://prezkennedy.com/2026/01/15/the-free-domain-trap-the-...
> Freenom’s terms of service allowed them to “cancel” a free domain at any time without warning. Users reported for years that as soon as their free site started getting significant traffic (and becoming valuable), Freenom would reclaim the domain and fill it with ads, effectively hijacking the user’s hard work.
Oh, sh!t, I used to own a .tk! Have no idea what happened to it.
At least for the last few years of Freenom, you could only get a domain for up to a year. Once that lapsed, they parked it and you had to pay to extend it further.
Some of these TLD also get thrown under weird arbitrary blacklists by security vendors.
Sorry, can’t buy a frame.work laptop because that’s a “Malicious TLD”, according to the folks at ZScaler.
Are you 100 percent certain that the domain name wasn't registered before and then got on the blacklist because of prior misuse?
It's quite possible that the domain you chose was registered previously and dropped because the previous owner misused it and burned that domain. The .ONLINE extension has been around for several years now.
I can't be 100% sure but googling showed nothing. My site was up for almost 6 weeks with no issues. I used the domain for Apple's review process too. No issues at all.
I feel like google should be sophisticated enough to tell when a domain has expired and gone up for auction/resale?
Why was the domain blacklisted though? What can we do to prevent blacklisting in the first place?
Most definitely nothing, as no sentient humans are probably involved in the process except possibly malicious people that report a site in bad faith.
If the domain is being given away for free, it will be used a lot for scams etc, so a lot of systems will just start blocking it immediately. When I got my first domain, I used one of the free TLDs and my university blocked it completely due to it being a scam. Not for any of the content on it, just the TLD being commonly used by scammers
Probably cause of things like "southwest.online"
That’s my question. I’ve launched many fresh websites that have not been marked as unsafe by Google. If they were habitually doing this, there would be far more reports of it.
I suspect there is something the author is not telling us.
Even if the false-positive rate is very small (e.g. 0.01%), you probably won't be affected, but more than a hundred thousand of websites would be and that would still be an issue. I have no idea how big is the false-positive rate.
There are many of reports of the same happening to other sites, some of the top ones (you can find many more by searching HN for "google safe browsing"):
- https://news.ycombinator.com/item?id=33526893
- https://news.ycombinator.com/item?id=25802366
- https://news.ycombinator.com/item?id=45675015
From false alarm to something previous owner did. Remember domain is recycled.
The domain has no history as far as I could search and the site was up for almost 6 weeks with no issues before it was nuked. I used it with Apple's review process!
The big scary red warning page should at least tell you it’s phishing or malware or something else. OP didn’t have a screenshot of that. You can easily go to a safe browsing test site yourself at testsafebrowsing.appspot.com and find that Google does divulge the category of the blacklisting.
OP says:
> no gore or violence or anything of that sort
That’s not even the right criteria. OP is confused about Google Safe Browsing vs Safe Search.
I just wanted to cover all the bases. The site has one outgoing link to the App Store and 3 screenshots.
That sounds like a competitor of yours manually submitting your site to Google for “impersonating” them or something. Anyone can submit URLs to Google to suggest it be blocked: https://safebrowsing.google.com/safebrowsing/report_phish/ Perhaps some overworked underpaid analyst had a lapse of judgement. I’m sorry that this happens to you.
wait, this actually makes things sound even worse because anyone who might not like your product can add it to google and google can sometimes be none the wiser and then add it to phishing link which could then lead to their domains (ie. any TLD's hosted by radix.website) being lost in void essentially unless you have verified the domain in google analytics and even then I would consider this whole situation to be so messy.
At this point, NEVER buy any radix.website TLD domains.
I am seeing pinggy had the same issue with their .online domain and this actually definitely caused hurt to their business https://news.ycombinator.com/item?id=40195410 (I saw this post from their comment in here referencing it)
Took me a minute to realize Sid isn't associated with 0xide.computer. Clever domain name!
Getting Google to index my personal site has been a pain. Every other search engine works fine, but ever since I switched the images on my site to .webp (a format created by Google!), my site's content just doesn't get indexed anymore. I've given up since web search traffic matters less and less these days with LLMs, and it only really bothers me when I'm trying to search for my own articles.
Ha, thank you. I spent more time than I'm willing to admit to come up with it.
I use my older, much longer domain for email and identity (it used to be #3 on SERP for "Sid"). This one is just for giggles so I can blog in peace without affecting the main one.
tried to roll my own email server on a .xyz domain...basically a big no go, couple of emails went through, then nothing, just a black hole. Thanks corpos and the safety theatre.
Call me a luddite but if it isn't one of the original big TLDs, a country TLD, or similar, I just don't trust it for anything serious.
I believe that .de domains are pretty cool (written another comment about it) but .de are $3.25 for registration and .de is the second most common after .com so from webatla, I see approx 16 million domains.
I don't think that they could ban emails from .de for what its worth.
Personally I like .in domains too. Makes more sense to me because I am well Indian and we all use it quite frequently/sort of intutitively know fwiw but if I just want a domain for email purposes for cheap. Honestly, .de could be good.
https://tld-list.com/ [Try seeing the cheapest renewal rate with top level TLD and ignore .storage which costs 465$ for registration smh]
Some other domains like .top exist as well in this league imo but .de is one of the best if you can find a relevant domain in .de
In Defender for Exchange (or whatever they call the filter in exchange online these days), there is a checkbox that blocks .xyz and .biz as a bundle. Why those two? dunno, but microsoft especially hates them.
So Google can single-handedly break any domain? Sounds like total control of the Web.
Google should really be seeing some anti-trust action for requiring you to create an account with them on their search console in order to contest being added to a blacklist used by all the major browsers.
On a side note, thanks for wisp. I was looking for something like it so I could use it to quickly test the web builds of my tauri mobile app.
Oh wow, I didn’t even think of this use case. Could I please get in touch for a bit more info?
A list of all registered (3,231,464 domain so far) .online domains is here: https://allzonefiles.io/zone/online
This is one of the pains of centralization. And honestly, it could happen with any TLD.
https://www.icann.org/compliance/complaint
never buy anything than com domain
especially country level domains, they are not regulated and your register can ignore whatever requirements they have to fullfil
Having .online already 5 years. No problems with email or website. Don’t understand that blog post. More problems can be with .xyz
also I don't recommend using a .xyz domain for email sending. These domains are often marked as spam, and some email providers don’t support them.
A great reminder even if you aren't a Google customer, Google's love of banning people with no notice or recourse will still screw you over.
I'm shocked there was no notification, or alert, of any kind. One moment you're there, the next, you're gone and no one will talk to you. Insanity.
That’s not fair. Google has no hesitation in banning its own customers either. Combine this with private equity vultures (namecheap) and shitty registrar, you are always one AI token away from being banned.
Shit, didn’t know that namecheap was acquired by PE! Very sad news. Is there any registrar left that isn’t crap?
Not sure how you feel about them as a company, but I use Cloudflare because they sell domains at cost.
Of the suggestions, I think I would lean to CF, too.
Porkbun is not bad, Gandi has fallen as well.
Dynadot
Yea regarding namecheap/spaceship (their sort of subsidiary company). I once created a tool which could find me a cool short .de domain out of curiosity and I tried using namecheap bulk's domain feature.
It said that https://aid.de was available. I was out of the moon happy (silly me) thinking that its such a good domain or something.
Then I saw aid.de available in namecheap for around 2$ ish but for some reason I took a bath and hten later it showed 10$ ish.
Okay, I then went to spaceship and it also showed me aid.de available. I then took my card and signed up
Well the transaction took place but got refunded. It said that there was an issue or something and got insta refunded
Silly me, thought that the payment had issues and decided to do payment again. This time though my refund had to wait 10 days to come back because of international laws.
Now I had only very little amount stuck btu I can see someone losing substantial money/having it stuck
I contacted their support and they told me that both namecheap/spaceship have a bug where some domains show available when they aren't.
I haven't checked but since the amount was like 1-2$ now but this whole thing really soured my relationship with namecheap/spaceship.
For context, before this, I also had a hate/love relationship with namecheap because once I bought a domain with them using crypto and also bought their vpn which was like 20 cents basically
It had auto renewal on and my domain costed 1$ but crypto payment requires 10$ minimum and the VPN charged me money from that.
Luckily I had spotted before the 2nd month and to be honest, like only 1 month 10 days or something and I urged the namecheap company to do what's right (in that moment because a lapse of judgement had been made from my side/error and I hoped that namecheap could realize it and do "right" instead given that the cost was only around 10$ fwiw)
After waiting for many days, they finally did what's right and gave me my credits back as a one off thing and I then turned off their domains.
I also used a crypto swap thing to convert b/w usdc and btc (what namecheap accepts) and I had an issue of doing two times payment after the timeperiod of btc payment (15 mins) but they also fixed that issue by adding the credits manually when I raised the issue.
Their customer support at times can be good but the platform itself is a little shady in my opinion. For the VPN thing if I remember correctly, the auto renew was written with grey and I genuinely didn't read it without my specs.
I am gonna keep my domain with namecheap that I have and if I get deals from namecheap/spaceship then use them, but for individual domains without deals, hell no.
I know that many people don't like the centralized nature of cloudflare but cloudflare is a good thing for domains :/
I personally just buy domains from wherever's there's a deal right now as some domains I have are some that I keep for only 1 year or similar.
To be honest, if I want to pick a domain-thing, I'd rather pick the one which is the cheapest or if not, then the one which only sells domains
I just looked at porkbun and they only sell domain related things and at best mail (they also have a deal with proton which can be interesting to many)
Porkbun is also cheap so I think I would recommend porkbun/cloudflare.
I haven't decided if I will transfer my domains from namecheap or not but their customer service is nice but the same can't be said for their service sometimes in my opinion.
I blame both the registry and Google.
If you were a lawyer, you could have fun with this.
Btw, perhaps unrelatedly, we had a domain marked as unsafe by Google as well for no particular reason.
This sounds like something ICANN should prevent. Is this not against ICANN rules? These fuckers ban emoji domains, maybe they should ban registries from arbitrarily stealing domains with no recourse. Maybe write to them and see if they can move something.
Last year, my registrar wanted €64,99 to extend an online domain which I had created for fun.
No thanks.
yeah same here. I canceled my account on name.com because I had previously obtained a .art domain maybe for ~15-20 USD / yr. Then they wanted $50 USD a year to extend it. No thanks, dropped the domain and moved to namecheap
If the price increase was from the registrar and not the registry you should have been able to move to a different registrar with saner prices.
Namecheap does the same thing though, at least they did with an .online domain I have.
I got og.plus that expands to OpenGraphPlus.com.
At first I was stoked to have a two letter domain, but then I looked into it and learned these companies will get you hooked with a low initial price, then jack up the prices as the domain becomes established.
Quite the grift. My plan is to tread lightly on that domain and be ready to back away from it when the rent seekers move in.
You’d think there would be some sort of rules to the neutrality of these TLD administrators, but nope.
The second time around I wised up and go ogplus.net for an API domain instead of ogplus.media. I’ll take neutrality over vanity any day.
Google have way too much power to mess people's lives up. Especially for an organisation with basically zero customer support.
So this happened only because google is so big, that it can point to any website and say that it's not safe. Even if owner of a site just don't want to be in their search engine in the first place.
How on earth we ended up with this company bother anyone including those that want their services? Imagine that you could get your driving license banned because you did not buy a toyota...
.com is definitely the gold standard, I got an .io more than a decade ago and if I would go back in time, I would just use .com, the pricing for .io been increasing for no apparent reason.
People often make the mistake of treating .io like a gTLD, when it's actually a ccTLD for the "British Indian Ocean Territory" etc. ccTLDs have always had risks, especially when they are for a really tiny region.
Similar issues to .io happened with the popularity of .tv domains, which again is a ccTLD. The government of Tuvalu sought to increase income from sales of their ccTLD and prices went up. Tuvalu is such a small nation .tv domain sales ended up making a significant part of the State's income.
Another fun example of the mess you can get into with ccTLDs was when the UK left the EU. All UK registered .eu domain names were cancelled following the UK exit from the bloc.
gTLDs generally have some degree of insulation from State-level politics. ccTLDs permit the nation or territory they represent much more say in how they are priced and who they are sold to.
Interesting, thanks for the info, definitely didn’t know that back in ~2012, but lessons learned, only .com or .org I have been buying in the past years.
> Update: Within 40 minutes of posting this on HN, the site has been removed from Google's Safe Search blacklist. Thank you, unknown Google hero! I've emailed Radix to remove the darn serverHold.
I wouldn't party too soon - from my experience getting something removed from Google's libel machine doesn't mean the same process that put it there in the first place is fixed and it you will most likely go through the same thing again and again.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is just another way how Google has inserted themselves as the gatekeeper of the web.
Never use a “free” domain is a better rule. Even if there were no technical or administrative issues, nobody trusts them.
I could also buy that the free domains were ran up by scammers which could have caused some of the hair trigger Safe Browsing denylisting.
The logic doesn't automatically extend to other TLDs unless they too are owned by the same firm. Alternative TLDs are often preferable because they're so much cheaper than wasting money on a .com, etc.
Most alternative tlds are more expensive than .com after first year teaser rates expire though
There are various gTLD that are cheaper. For example, .top is great and among the cheapest. It however is falsely maligned by those with small brains who stereotype things.
I like .top domains as well but .de might make more sense.
Considering .top domains have cheap registration and renewal. To me, it does feel as if .top are very speculative. I liked to search random things in tld-list to find unique-word.<any tld> so like random.top but my past experience says that .top domains are bought quite a lot/very speculative.
If possible I like .de but I think that .top are fine too. Both are great for what its worth.
> It however is falsely maligned by those with small brains who stereotype things.
I didn't know about this, can you please elaborate more about it?
> I didn't know about this, can you please elaborate more about it?
Those with small brains who stereotype things often claim that .top is used only for scams, and that if a site is using .top, it means they're a scam site. In making this foolish assertion, they confuse P(A|B) with P(B|A). To continue, see the ChatGPT share 699f272e-475c-8012-ae9a-a89bd136fd01
> it does feel as if .top are very speculative
Sure, they can be, but again it's no reason to stereotype. They can be or become whatever they want to be.
https://tld-list.com/ Try looking at this website with cheapest renewal rate and removing second country TLD (so only Top level)
In my opinion, .de , .ovh , .uk or personally my country's .in (yes OVH has their own TLD that you can use)
.de is one of the more interesting domains to me personally even though I am not german.
why not just buy a .co.xx (country) or simply .com / .net
and if hectic maybe .io
One time I bought a .dev domain, which is/was run by Google, and after missing the renewal deadline by less than 24 hours, the renewal price jumped from less than $30, to $800.
Is this even legal?
I don’t know that the advice is solid in terms of never buying an alternate TLD.
There are always the actual country TLDs, which (mostly) have specific regulations governing their use, and an actual government body to appeal to in case of unsolvable issues like this
Top of HN. Well, I guess you could say that Radix's strategy to give away domains backfired spectacularly.
honestly all of these weird tld are expensive in the long term i dont see the point of getting them
Another case of Google extorting users and showing mafia-like behaviour.
So, how is this not libel by Google? The claim was that you were running an "unsafe site". Its their job to prove that, and not just "black box says so".
And you have system and reputational damages.
Go for small claims suit, $5000. It'll cost more than that for their attorney to go to your jurisdiction.
It’s not libel. Defamation requires a false statement of fact. Claiming a website is “unsafe” is an opinion.
(IAAL, but this is not legal advice. Consult a licensed attorney for legal advice.)
because google safe browsing is only supposed to display a "not safe to browse" warning when using chrome browsers (and maybe some other browsers) wich you can (theoretically) dismiss(1)
it's not meant to have any other consequences
so basically what happens is that because of hearsay of google thinking you site is not bad Radix does what normally should involve a judge order (taking down the whole domain)
(1): Yes that still would cause damages on any site with customers, but like way less and way more fixable then what happened here.
This is libel, indeed.
The .com purist advice is sound but you're not getting four-letter domain names that way, and in some ccTLD zones you can still.
I was price-gouged out of owning a single, rare .icu domain when renewal fee for it went from 20 usd to 220 usd overnight, just for this one domain... I'm pretty sure it's not Gandi, but the TLD opetator, because other .icu domains I've had were fine. I decided to eventually abandon them all anyway. Moved away from Gandi later when they started doing gouging of their own, too.
What is HN's opinion on Dynadot?
Yeah, what the heck happened to Gandi? It used to be my go-to, but nowadays... yikes!
They got sold to private equity, unfortunately. I switched to Bookmyname (by Scaleway) for some TLDs, and Infomaniak for others.
Can we trust Cloud registrars like Bookmyname/Scaleway, Amazon Route 53, Cloudflare more than Namecheap, Gandi and co?
I think that it's a good thing when domains aren't their main source of income. It gives them more incentive to provide good, stable experience and pricing.
More than what Gandi was? No.
More than what Gandi is now? 100%
Wait, If I remember correctly, I think its possible to now buy domains from scaleway directly within their interface
https://www.scaleway.com/en/domain-names/
Could be very interesting for the people who love/host on scaleway.
Scaleway is a good company fwiw imo.
Private equity cancer, same as Namecheap.
Reddit's r/namecheap is also full of horror stories.
sorry but you cant have a domain if google ban it? how does this work?
“never buy a non-.(com|net|org) domain”
ftfy
I agree, but if I ever get a chance at .edu, .mil, or .gov I'm gonna take it.
There are still some fun domains grandfathered into the .edu hierarchy, from back in the day when registration criteria was not-so-strict.
.mil and .gov have always been too strict for ordinary folks though.
Enshittification at its peak (or is it at its peak already?)
There is no peak, because it's a hole, and we can always dig deeper.
OP shouldn't blame .online registry operator Radix.
It's literally 100% Radix's fault?
Because? It seems like the blame is very squarely on their shoulders.
Hot Take: the proactive action of the registrar here is probably more beneficial than the number of false positives captured. If the registrar is aware that Google is hot on blocking potentially harmful sites, it's right that they take action expeditiously.
The bigger problem is the unbanning - for which there should be a better system, probably that should take the form of the registrar having a short grace period to aid in the Google stuff (DNS verification etc.) with additional checks by the registrar to make sure it's not being used for spam/malicious content.
The other point being why was Google banning you so quickly? This is the opaque part. Was the site reported? Was there some URL hijinks? That's the thing you'll probably never find out.
Relying on Google for this is actually not beneficial, as discussed here many times: https://hn.algolia.com/?q=Google+safe+browsing
If the registrar tracks this information, a possibly helpful course of action would be to notify or warn the domain owner that they are on the list.
In the modern adversarial web, I do not want a registrar that proactively disables my domain because of some third party report.
> The bigger problem is the unbanning
The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?
> Add a DNS TXT or a CNAME record.
I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.
DNS can be thought of as a distributed KV store with built in caching suitable for low write high read use cases, so TXT makes sense for that. e.g. basic feature flagging can be accomplished that way with basically no work to set it up assuming you were already using DNS.
The registry cannot ban individual record types. That is not how DNS works.
The registry only maintains a list of NameServers associated with the domain (and records for DNSSEC zone signing). Registries have nothing to do with regular records. They only record who defines those records.
There is _some amount_ of justification to ban TXT. There have been a few cases of C2 servers using DNS to send instructions to malware, so letting TXT slip through the cracks would still allow for that.
Now whether this downside justifies the massive problem it causes on false positives...
TXT can't be banned. There are several RFCs that require TXT records, such as DKIM configuration, DMARC configuration, and it is extensively used for verification by things like AWS SES, Microsoft Office, and all kinds of things. It's built into many standards and used by all kinds of other entities for all kinds of perfectly legitimate things.
yes, but in that cases we are on the "this (should) involve a criminal investigation" level not on a "Google Safe Search" doesn't trust you level
they didn't "just" take down the site, they took down the whole domain
Even google safe search isn't blocking you site per-se, it just adds a very annoying "this site is not safe" dialog you can "somehow" bypass (but most people wont and don't know how).
Like if this where the main site of a company (which it very much could be) this would also have taken down mail, all APIs, all Apps relying on such APIs.
so no this is absurdly unreasonable actions
that they seem to neither know nor care that this makes it impossible to "fix" false positives with google isn't helpful put this in the area of high levels of negligence which can get you into a lot of trouble in the EU