271 comments

[ 2.9 ms ] story [ 254 ms ] thread
Interestingly, I recently saw a couple a couple of google.* domains available on Google Domains, including some reasonable-sounding ones: IIRC, google.tech (edit: google.page), google.business, and google.camp. Tried to purchase them but they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries…

More generally, however: all these TLDs are kind of stupid, and trying to make sure you own every single TLD for your business is similar to a protection racket where you have to pay just so something bad doesn't happen to you. Perhaps we should stop trying to make a billion of them.

Even better yet, it would be interesting if we just abandoned TLDs. There is no reason why http://google/ can't work, really, with a bunch of infrastructure changes.
With the super shady sale of .org it may be time to consider who these people are selling essentially nothing.
DNS suffix, to name one.
I remember seeing a NIC that did this with their TLD. But I can't remember which one :/. I would love if someone finds it.
I think it's pretty common. Our national NIC does it: http://dk redirects to their website.
This redirected to https://dk.com for me. Is this my ISP's DNS messing with me?
Firefox will sometimes append .com onto the URL.
What a nasty non-feature. Can this be disabled?
Infrastructure changes aren't even needed; Google already owns the .google TLD. All they would need to do is attach an A record to the root.
ICANN doesn't allow A records on the DNS root on gTLDs. If they did, we already would've.
http://cm./ used to resolve
(comment deleted)
https://news.ycombinator.com/item?id=974111

http://to./ used to be a URL shortener.

Either the rules on ccTLDs are different, or it's a recentish crackdown.

There are no rules for ccTLDs, which their countries like to claim as sovereign property (see https://meetings.icann.org/en/dublin54/schedule/wed-ccnso-me... and https://gac.icann.org/principles-and-guidelines/public/princ... for some of the views)

Some ccTLDS voluntarily agree to abide by the same rules and operational requirements as the gTLDs - https://www.icann.org/resources/pages/cctld-2012-02-25-en has more details.

This means, for example, than ccTLDs aren’t bound by the findings from SAC053 at https://www.icann.org/en/system/files/files/sac-053-en.pdf which have been included in the gTLD contracts.

Wow, that's a glimpse into the past
.cm is a ccTLD, not a gTLD. All two-letter TLDs are ccTLDs and all 3+ letter TLDs are gTLDs. Countries have wide latitude to do whatever they want with their ccTLDs.
http://ai./ still works
What happens if I have a computer on my network named ai? Wouldn't it cause a conflict?

I called my FreeNAS box freenas because I didn't feel very creative, and I can browse to it as http://freenas or http://freenas./ but if they took a domain of 'freenas' suddenly that means I have to do extra work and rename my stuff. Doesn't seem fair!

(comment deleted)
You should have used a reserved TLD like `.local'. If you set it as the local domain name `ai' and `ai.local' would work. `ai.' would not work, as the dot at the end tells it to look at the top level. (like the slash at the beginning of an absolute path)
Ah yes I forgot that, .local does work so I guess that fixes that problem.
This explains so much. I'd always wondered why e.g. CERN's website was served from home.cern instead of just cern.
Sure, but why would they?

Can you imagine all the search advertising Google would lose if they allowed just 'nike' and 'att' to resolve the websites in Chrome, rather than search results?

I was pondering about the idea of a browser extension for a sort of local DNS. Paying for domains could be ditched if everyone had a local copy of a database that mapped any character sequence (even emojis) to a server address that would get filled in by the extension in the url bar. Not sure if it would extend to mobile or all websites, but could work similar to a social network in the sense that you need to get the extension (i.e. access) first, and then you can find someone just by using a string that they've provided. Combined with something like Github pages it would offer a full free solution.
(comment deleted)
> they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries

My guess is that they were never available and there are doing a poor job of figuring out which domains are taken and which are not. I've been this in several other domain name search sites too, especially if there is no nameserver for a registered domain.

Clicking "purchase" on them must have kicked the system into fixing itself, then, because they stopped showing up as such after I did so.
I think so too, because that's when they do the (presumably resource intensive) call to actually attempt the registration and they can update their "most likely available" list with this definitive data.
Which is most likely because registries are known for having poor infrastructure. If registrars can't see the name is taken from the registry, they will default to available.

I worked on some registrar-related stuff years ago now and even at that time, Verisign was known for having poor support of providing information about .com registrations.

> Which is most likely because registries are known for having poor infrastructure.

If people only knew that the internet was held together with bubblegum and duct tape...

Every fundamental layer has just crazy / old legacy foundations that are just incompatible with safe systems. Really opened my eyes when I saw how telco routing worked at the lowest levels.

>Interestingly, I recently saw a couple a couple of google.* domains available on Google Domains, including some reasonable-sounding ones: IIRC, google.tech, google.business, and google.camp. Tried to purchase them but they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries…

It must have been a bug in Google Domains, all three domains were registered ~5 years ago.

Yes, but I figured they might have lapsed. I idly check it from time to time and they certainly didn't show up as available previously.
It could have been an interruption in connectivity with the registry operator(s) for those TLDs. When that happens, most registrars will at least attempt to buy domains they're currently unable to retrieve the status of. You only get charged if the domain actually ends up being created.
I have experienced this bug in Google Domains before (for non Google related domain names). Interestingly, it seems to particularly affect domains that are registered but unused.

This isn't isolated to Google Domains, however. GoDaddy's website let me go through the entire checkout process with 2 or 3 registered domain names, followed by a refund an hour later.

There is no way you'd get a "google" domain under any extension but even if you register a domain with "google" + something else you're going to lose it in a UDRP anyway.

It's possible that google and other major brand names don't have to register every extension, the names are just reserved for them alone, should they want them.

There was a dude a while back who registered google.com and gave it back when asked. I figured I might be able to do that and get a cool story to tell out of it.
He never registered google.com. google.com is hard-locked at the registry level by Verisign and has very high security manual safeguards around any changes that are made to it.

There was a temporary bug in Google Domains that made it appear as if he had bought google.com, but he had not.

Are there other domains hard-locked at the registry level? I haven't heard of this behavior before.
Yes, there are many such registry-locked domains. Verisign and most other TLD operators sell it as a service. More info:

https://www.verisign.com/en_US/channel-resources/domain-regi... https://krebsonsecurity.com/2020/01/does-your-domain-have-a-...

It's a recommended best-practice for high-value sites, which the main website of any Fortune 500 company certainly falls under.

Oh, this is available to anyone with a .com using a major registrar. I had misunderstood this to be some special feature only available to the domains that make up massive amounts of internet traffic like google.com.
There is likely to be even more scrutiny placed on any changes to domain names that employees of Verisign immediately recognize, such as "google.com". I imagine that would have to go through a very high level person at Verisign. It's in everyone's vested best interests here to not screw up something so visible as that.
I think it was GoDaddy not Google Domains.
Huh?

The guy in the article did in fact buy a google.tld - https://google.xn--9dbq2a/

I wasn't talking to the guy in the article, was I?
The guy in the article was able to do it recently. Why not the person you were replying to? (Besides the fact that now the guy in the article has done them all)
Lots of people hand registered 3 and 4 letter .coms in the past.

So because they could do it, anyone who points out it's not possible now should be downvoted and asked to explain themselves with:

Why is it not possible, beside the fact that it's not possible?

[Edited to remove excess frustration/annoyance/snark at people quibbling so much about a totally inconsequential and factual remark.]

Go back to reddit neckbeard
(comment deleted)
It is unlikely that google owns trademarks in all countries for all trademark types.
there is the Trademark Clearinghouse which actually deals with these cases (by either automatically registering the domain for the trademark holder, or notifying them immediately if the domain is registered so they can take semi-automated action) [1]

[1] https://newgtlds.icann.org/en/about/trademark-clearinghouse

Yeah, I don't recommend buying domains with trademarks in them, even for research (or similar) purposes.

I registered a domain name with a client's trademarked name in it as part of an authorized penetration test of that client a few years ago. At the end of the test, I asked if they wanted me to transfer it to them, and they didn't. A year later, when it expired and the domain privacy stuff went away, all of that automated enforcement machinery started running, and suddenly I was being threatened with all sorts of arbitration/court appearances if I didn't transfer the domain (which I no longer owned) to them. Took weeks to sort out, and that was with documentation that I'd bought the domain as part of a pen test the client had specifically agreed to.

Companies like Mark Monitor will buy all of the <yourbrand>.tld's for you-- and continually grab new ones (as the set of TLDs is constantly growing). At Netflix's size, I would assume they would've paid for such a service.
It's worth noting that MarkMonitor ownership has changed in recent years.

Regardless, they certainly can register all the names for you, if that's what you ask them to do, but at some point, there's an awful lot of names, and it feels extortiony to pay for them all. I was working for a MarkMonitor client when the 'landrush' for all these new tlds was happening, and we'd get frequent emails about which tlds were going live soon, so we could decide if we wanted foo.bike or foo.sexy or foo.personals, or whatever. And then, if we wanted to pay rediculous prices to get it early, or wait and see if we could get it at normal price (+ hefty MarkMonitor markup). We would almost certainly win a UDRP, but that's expensive too.

Then we got bought, and the new corporate overlords liked throwing money away on dumb domains, so foo.bike got registered by their team (and they had an actual domain team, so I got to shed that hat).

When you mention the change of ownership, I assume that there's an implication there, but would you be willing to be explicit about it?
They're owned by a VC firm now, which I suspect means they'll need to change how they operate in order to show growth. That's not what I would want in a registrar I'm counting on for absolute stability of domain names for my hypothetical big/important company.
Could someone register a tld and charge a crazy amount of money for it, to extort big companies?
No, they can use their trademark to take control of the domain without paying any money through UDRP.
That’s not how trademark law works, at least. Does the URDP really let trademark holders take down sites that are critical of them?
I wouldn't expect UDRP to allow a trademark holder to take down a site critical of the holder; I that's a legitimate use of the trademark, even if it's not approved or desired.

However, that's not really what most companies are worried about, they're worried about phishing or scams or misleading sites with their name; UDRP should allow those to be taken down fairly easily, although the question is always if it's less expensive to register the domain or to leave it unregistered and dispute it if it's misused.

Yes. Look up the history of .sucks
The first reason https://get.sucks mentions why you might want one of their domains is to protect your brand online.
(comment deleted)
"protect" aka good old mafia-style "protection money" rackets.
Yes, a company by the name of Donuts did this with over 200 new TLDs.
There are now anti-domain squatting laws on the books, aside from more conventional trademark, etc., protections.

If any of the big names found someone using a clone domain and objected to it, the domain owner - I'd expect - would find themselves having a chat with keenly interested IP attorneys.

Lot's of domain squatters listen out for whois requests, to try nab unregistered domains before the real interested buyer.

Wouldn't surprise me if big tech like Google does the same.

I felt the same when I wanted to pick my domain name: you're tempted to go for the traditional way of going with YourName, and then buy the .com or .org but what if you buy only one of them ? How does someone else know that YourName.io isn't your website if you don't buy it ?

My conclusion was that your domain name must not be in the form of YourName.tld; the tld must be part of your name. You can either use puns like buying yourna.me, but it's a bit weird for non-tech people, or you have to use the weirdness of tlds and go for something like lostin.space. There is less confusion at "what comes after" because there is only one.

"Did you know it costs a minimum of $185,000 to create your own domain name ending? For that kind of money, I think ICANN, the registries and registrar sites have a massive responsibility to ensure that this never happens."

No they don't.

The same problem exists with subdomains, for example some users may visit "netflix.trustworthy-sounding-domain.com" and not notice the issue.

Meanwhile, using a weird TLD can raise suspicion even for legitimate sites. Get a dot com.

netflix.trustworthy-sounding-domain.com isn't really the same though. If I own netflix.trustworthy-sounding-domain.com, I can create facebook.trustworthy-sounding-domain.com, google.trustworthy-sounding-domain.com, etc simply by creating new DNS records. No one but myself is involved, or even know they exist (unless I put links to them somewhere public).

On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.

Let me explain. The problem is that somebody malicious might impersonate another company through a domain name.

So they send people emails with URLs like "netflix.user-support.com" where "user-support.com" is owned by the malicious actor. This is extremely common.

I honestly don't see any other problem. How else would you get people to visit "netflix.soy", if not by the same mechanism? It doesn't matter who controls which part of the domain, users are either going to notice the odd parts of the domain, or they are not. The fact that one is a TLD and the other isn't doesn't really make a difference, at least for uncommon TLDs.

> On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.

Yes, but that wouldn't do anything to solve the problem. It would only make things more expensive. I honestly don't see the issue with anybody owning "netflix.soy" unless they're malicious, but in that case owning "netflix.anything-else.com" would be just as bad, if not worse. Since we can't really prevent the latter case, preventing the former case is moot.

gTLDs are nothing but a money play by ICANN and registrars and really make the internet a (slightly) more confusing and dangerous place. Within epsilon, all the money spent by companies on gTLDs is dead weight with no payoff in increased usability but only to prevent some naive user from being tricked.

The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

You can't actually mean that? Country TLD? (Eg .CA) I'm actually pretty impressed by how the .CA registry (CIRA) has branded itself in Canada. There's even a bit more legitimacy for sites because it's clear they're operating in Canada (or have at least made an effort for Canadian representation).

Yeah, my default behaviour for any international company is to navigate to companyname.ca. Even if they don't use TLDs for their regional websites, it typically redirects to their Canadian site. (e.g. apple.ca redirects to apple.com/ca, microsoft.ca redirects to microsoft.com/en-ca, ikea.ca redirects to ikea.com/ca/en, etc.)
Presumably OP is American and does business with American websites 99.9% of the time.
> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

What about ".net"? It's a pretty old, established domain with many large companies using it (themeforest.net, cpanel.net, php.net, ovh.net, doubleclick.net)

Also ".io" usually hosts legit internet businesses.

> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

Ha. Do you give these friends other advice of the same calibre? I wonder what they think of you.

"If you've got a choice of brands, you can't go wrong with Trump, it's a sign of quality"

"The smaller the house, the bigger the dog you want, if you've got a tiny apartment buy a Great Dane or a Newfoundland, that way it's cosy"

"There's no such thing as too much salt. When cooking don't bother tasting it, just add twice as much as you think you need"

Just in the US, there's also org, gov, and edu, not to mention the countless trustworthy ccTLDs in other countries.
I'm from Israel, and this is the first time I've heard about the .קום tld. I've never seen any website that uses it.

The author mentioned that creating a new tld costs a minimum of 185k USD. This makes me wonder who would pay this kind of money for this completely useless tld.

Perhaps government organizations ? Also not all TLD's cost 185k to create, ccTLD were given free to each country to mange for example, similarly language specific common gTLD may have had special provisions for some countries to manage perhaps.
If they managed it for only $185k I'm impressed, maybe if you did several on the same infrastructure.

It's a gold mine offering. There was a long queue of people quite sure that .binglebongle would be the new .com. Sometimes it was a marginally less stupid plan, like we can be a regional alternative - and Russia even has one that's actually making money - it isn't taking over the world, but it's Cyrillic and was never intended to. But most gold mines never produce gold, they just suck up people's money and dreams and spit out the bones.

The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.

The Kerry Group for example owns several, as do some US financial outfits. Why? Because nobody who knew this was a stupid idea was in the room when it got decided.

> The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.

While everyone here has certainly heard of Softbank, I find it amusing that they have their own TLD too (with sites like https://group.softbank/).

> everyone here has certainly heard of softbank

not until your comment had I heard of "softbank"

I'm pretty pissed off that some TLDs went to the exclusive use of corporations. I really wanted a domain with .fox but its taken by the media corporation which doesn't use it for anything.
Afaik most of the new TLDs are hosted by a few specialized ISPs that have enough DNS infrastructure to comply with ICANN's standards. Apart from tech companies, nobody wants to maintain DNS servers.
.קום is just .com transliterated into Hebrew letters, right?

That actually seems quite useful, if people are typing not realizing the keyboard is set to Hebrew.

That would only work if the Hebrew keyboard layout they were using had this mapping of letters. Most language layouts for non-Roman scripts don't optimize for phonetically approximating the corresponding English letters (presumably on a QWERTY layout).

It appears that they don't match to the TLD letters here: https://en.wikipedia.org/wiki/Hebrew_keyboard

That's correct. Typing 'com' with the keyboard set to Hebrew results in 'בםצ' (which is not even pronounceable) not 'קום'.

The Hebrew keyboard layout has no relation to QWERTY in terms of phonetics.

If the keyboard was set to Hebrew then the subdomain would also be spelled out in the wrong characters, so the URL would be nonsense or go to a different site. Additionally, as people mentioned, the standard Hebrew layout is incompatible with QUERTY (I am a Hebrew speaker and have never heard of the phonetic Hebrew layout you linked to). Also when you type the URL the characters would be spelled out in the oppose right-to-left direction as .com.
Many national TLD holders (ccTLDs) control a TLD in local language.

.lk registry, for example, also controls .ලංකා and .இலங்கை (sounding "Lanka" "Ilangei" in Sinhalese and Tamil, the two other official languages in Sri Lanka), and they do not cost $185K. In fact, ccTLDs don't cost any money as far as I'm aware. DNS servers are run by the government funding but there is no cost to pay to ICANN.

Strange that Netflix hasn't drunk the Registry cool-aid and bought their "all-encompassing" TLD package which registers their trademark across all TLD's for a special price. On top of that, I'm doubly surprised Google hasn't taken action and already put this domain on hold in preemption of selling Netflix one of these deals.
>their "all-encompassing" TLD package which registers their trademark across all TLD's for a special price

That's a thing? What's preventing a predatory registry from being a holdout and demanding exorbitant prices?

That is a thing for at least one Registry that I know of (and worked for), I don't know if Google does the same, but I don't believe there is anything stopping them (please correct me if I'm wrong).
Google does not do the same.
Which makes me doubly surprised! It was my impression that this product offering was quite lucrative.
Yeah: Domains Protected Marks List, e.g Donuts: https://donuts.domains/what-we-do/brand-protection

afaik there's nothing that requires registries to use a DPML and it doesn't really make sense unless they manage lots of TLDs, since the cost of adding your trademark to the DPML is usually a lot more than the cost of a single registration.

If these companies notice, they can file a UDRP (https://en.wikipedia.org/wiki/Uniform_Domain-Name_Dispute-Re...) request, on the basis that the domains infringe their trademarks, and were registered and used in "bad faith".
>and were registered and used in "bad faith".

How were they registered in bad faith? He's not extorting money from netfilx, nor is he trying to deceive people into thinking he's neflix.

What's he trying to do with it?
(comment deleted)
(comment deleted)
UDRP typically rules in favor of the holder of the unambiguous trademark in these kinds of cases. As an example, "Exxon Mobil" refers unambiguously to a single entity only, and has no other possible uses, so anyone registering exxonmobil.{anything} would lose if the company came after them. No one else has any right to that trademark, and ICANN enforces trademark rights on domains.

If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you.

Contrast this with the case of, e.g., McDonald, which is a widely used surname that predates the existence of the trademark. So long as you specifically aren't trying to cause confusion with the McDonalds restaurant trademark, you can use "mcdonalds" in a domain name.

McDonald can use it after going through an expensive lawsuit where the big co will try to bully the little guy.

Which is what happened to nissan.com

What about .sucks? Couldn’t one claim free speech? https://www.forbes.com/sites/rogerkay/2015/06/29/saga-of-suc...
.sucks is a very special case. I wouldn't try to generalize anything going on there to other TLDs.
Free speech is a right issued by governments to the people.

It is not a valid concept between two private parties.

https://money.cnn.com/2017/08/08/technology/google-workplace...

Yes, but the argument GP responded to was that "ICANN enforces trademark rights on domains" and that "If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you."

He argues that the practice has its basis in trademark laws. If it is so, nominative use of a trademark to e.g. criticize a product is considered fair use and shouldn't be ruled out by ICANN on that basis. It either wouldn't be, or ICANN have some other basis than trademark law for their rulings.

So GP's point raises an interesting question. If you had registered e.g. "google.sucks" or something similar in which the FQDN arguably forms a valid nominative use in itself in good faith to use that domain to criticize Google's business decisions and products, does ICANN have some other policy outside respecting trademark law that would compel them to take the name back and give it to Google?

The answer to that question isn't "Free speech is a right issued by governments to the people". That's a pointless non sequitur at best, and I'm frankly tired of hearing it used in defense of huge monopolies that are well deserved of scrutiny in the interest of defending freedom of expression.

I agree in that perhaps entities with a public platform (in this case, literally the internet domain) should be compelled to provide reasonably equal access/equal speech rights to everybody.

However, the law is not in that rationale's favor. US courts have repeatedly rejected the argument that private companies are state actors subject to the 1st Amendment [0].

The reality is that the internet is governed almost entirely by private companies.

https://crsreports.congress.gov/product/pdf/R/R45650

> I agree in that perhaps entities with a public platform (in this case, literally the internet domain) should be compelled to provide reasonably equal access/equal speech rights to everybody.

Agree with who? I said that I'm tired of seeing the defense, especially when it's in response to a concrete question that it doesn't answer. You apparently disagree with that entirely. I'm not tired of the defense because I don't understand it, I'm tired of it because I do understand it and don't need constant reminders of it to derail legitimate discussions of how ICANN deals with possibly trademark infringing uses of their services.

I don't know what makes you believe that I don't understand that and keep posting links irrelevant to how ICANN deals with these cases, which again is the question being asked. I'm frankly not sure how I didn't make that clear in my last reply.

I built a tool to analyze UDRP Cases. If you're truly curious https://udrp.tools/?s=aad5d8d0

You can see every domain with SUCKS in it filed against and the outcome. 66 Granted (complainant won). 35 Denied. 4 Split.

My favorite domain filed against from the list: guinness-beer-really-really-sucks.com also against the guy who got the anti cyber squatting legislation created by pointing disney typos to porn.

He admitted he only registered it because netflix didn't, and he had no other non netflix related website in mind to host there. I think that's borderline bad faith. Its not exactly good faith. If he had never heard of netflix he never would have registered it.
> How were they registered in bad faith?

The article literally says that he only registered it because it clashed with an existing company. He didn't want the domain name for any other purpose.

A Google domain name is lying on the ground. An IT guy walks past it. A friend asks: "Didn't you see the Google domain name there?" The IT guy replies: "I thought I saw something, but I must've imagined it. If there had been a Google domain on the ground, someone would've picked it up."
For anyone unfamiliar, this is a clever riff on a classic economics joke about the Efficient Market Hypothesis [1].

"Two economists are walking down the street and one of them notices what appears to be a $20 bill (or a $100 bill—the monetary amounts vary) on the sidewalk. “It’s not a real $20 bill,” the other economist declares. “If it were a real $20 bill, someone would have picked it up off the sidewalk already.”

[1]: https://www.barrypopik.com/index.php/new_york_city/entry/if_...

Except the $20 bill in this case is a $-10 bill (or whatever the domain name costs), as there is no profit to be made by registering a top company's trademark as a domain name.
Yup. It's more like lots of people were walking along and saw exactly what it was, and knew better than to touch it.
Ha exactly — like a briefcase with $1million on the sidewalk. No way I’m touching that!
While it is an unwinnable case, there is a positive dollar amount to settling out of court.
Especially if you have a cute story like the MikeRoweSoft guy did.
He bought mikerowesoft.com though, not microsoft.soy. It would not have ended the way it did if he'd bought the latter. His case was a lot less clear cut than a blatant exact string match on an unambiguous trademark. Also, Mike Rowe is actually his name; Netflix is not this guy's name.
I think Nissan.com is more illustrative -- it was a guy named Nissan[1] who had an actual computer business in his name and got to keep it away from Nissan Motors, but now his site has a lot more to do bragging about his fight with the motor company than actual computer stuff.

[1] Hebrew/Israeli name usually transliterated as "Nisan"

Interesting, why doesn't Nissan motor just paid more money say a million for it?

Surely they can afford it.

Took a quick look at the case. I'm guessing some corp lawyer, maybe even general counsel, didn't have enough "real work" to do and needed to make a name for himself. Then it became a giant d* measuring contest.

Source: Went to law school. Never practiced though.

They got bad self-serving advice from lawyers. A lawyer doesn't get paid much if all they do is write up a contract for a private agreement to buy a domain, but they get paid a lot if the disagreement goes to trial instead.
No there isn't. Companies won't pay you money for having cybersquatted on their obvious trademark. You'll lose the domain flat out through UDRP.

The best outcome that can happen to you if you find yourself in such a situation is that you relinquish the domain name for free and nothing further comes from it.

Arbitration through UDRP is expensive, both in terms of process costs and employee time. A reasonable company would probably pay more than registration costs to avoid it.
Not if you take into account that they also want to deter future cybersquatting.
Covering actual costs without significant profit is a deterrent. If it costs $20 to register and you ask for $30 I think you're likely to get it.
You're underestimating how much value there is to companies in setting precedent on defending their trademark with an easy and practically guaranteed win. Companies need to proactively defend their trademark when it's being infringed upon or they risk losing it, and this is a really easy way to defend it.
The precedent is already established, you're missing the point: in order to enforce such precedent you have to go to court anyway.

And that costs money.

Looks like you haven't heard of https://nissan.com/.

They've had the domain for years.

Sure, if your name is Mike Google, then you might have better chances at keeping your domain. Probably still not good chances to profit off of it.
Now this a valid reason to give your kid the surname of a brand. To get rich quick. Too bad that this also limits employment options in the long run (can you imagine Google to work for Amazon?)
Except having the name is not enough, you also need to have used it in business already.

Happens all the time, as many brand names come from family names and the founder isn't the only person bearing that name.

>you also need to have used it in business already.

What is this based on? Because surely I have the right to own mylastname.suffix without being a business even if someone decides to make a business that bears my family name.

If it were your middle name then you could have the option to omit when needed.
Except that isn't cybersquatting. His name is Nissan and he did business as 'Nissan' before Nissan called themselves Nissan in the USA.
Wow, the look of that website made me feel like a teenager again!
> $-10 bill (or whatever the domain name costs)

For the curious, .soy seems to be one of the more expensive TLDs. It's $34.54 at Gandhi, $25.98 at Namecheap, $35.99 at Network Solutions, and $20 at Goggle. (I also tried at Bluehost, HostGator, and Godaddy, but none of them seem to even offer .soy).

It looks like netflix.soy was registered via Google, so that would be a $-20 bill.

Would a proper analogy be: free boat! (needs work, might be radioactive)?
I wouldn't necessarily think like that.

A domain can be either resold to another third party or could be sold to the trademark owner itself. You might reach a price agreement that brings you some money and costs the trademark owner less than getting a lawyer involved.

That reminds me of my father's advice when I wanted to buy a house. He said if the house was so good why hasn't anyone bought it yet.
A little anecdote. I actually had this exact situation happen to me when I was a kid.

I was walking in a crowded street just outside a shopping center and there where a bunch of $50 bills being blowed by the wind. No one was paying any attention to them so I picked one of them up. You can imagine my surprise when I realised that they were real.

All in all it ended up to be roughly $3000 and my mum took the money to the police station. No one claimed it and a few months later we got to keep it.

(comment deleted)
With the expansiion of TLDs, this just means that apex domains of a TLD will still be subject to trademarks.

google.pizza, google.yoga, google.keyboard will all be trivially easy for Google to claim trademark infringement for.

So while it's cute that you can register "google.soy" -- if Google cares enough they'll take if from you.

> apex domains of a TLD

aka domain names.

I don't doubt google would attempt to do this, and probably win simply by being able to out resource an individual who registered the domain, however, my limited understanding of trademark law is this wouldn't necessarily be a valid claim.

My understanding is trademarks are a protection against consumer confusion, so as long as companies aren't selling similar products or services, or competing in the same geography there isn't a problem. This is difficult with google, but a non-tech scuba company operating under google.scuba or googlescuba.com wouldn't necessarily infringe on google the tech company unless they're actively doing something to make consumer believe they're dealing with google the tech company.

Google is difficult with it's large breadth of interests, but for most tech companies this is likely more about exploiting flaws with the legal system by out resourcing opponents more than legitimate claims (thinking the oracles, salesforces, dells, Intels, etc).

IANAL but I'm pretty sure those examples could still be trademark infringement. Since Google is a global company and brand, someone could easily assume since your site is called google.scuba or googlescuba.com, you are in some way affiliated with or endorsed by Google. Perhaps you'd be OK if you made it very clear that wasn't the case, but I wouldn't want to bet on it.
I don't know what legal relationship it has to US trademark law, if any, but I've heard ICANN has its own sort of arbitration process for domain squatting disputes.
Although apple.records would not be available to Apple Computer. Trademark classes will make this all more interesting.

In fact, they're the only good argument in favour of expanded TLDs that I can think of.

There's a bunch of good TLD's available every week on https://www.namebase.io/ for a lot less than ICANN charges. For example recently someone got the js/ TLD for about $19k in HNS. (compare that to ICANN's $200k application fee)

Namebase is built on the Handshake protocol - a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. (https://handshake.org/)

So… these aren't accessible without specially configured DNS, right? Given that the point of domains is to let people get to your site, a TLD only accessible after reconfiguring your computer to use a little-known DNS competitor seems worth a hell of a lot less than $19,000.
Yeah...this basically ignores those totally minor perks like “SEO” and “people can actually find your site.” Unless I’m missing something here.
The whole framework arounds TLDs is very strange to me. One one hand, opening up all these gTLDs was supposed to alleviate problems with domain parking and name clashes (e.g. you could disambiguate your .blog from a .pizza restaurant). But all this did was shift the parking to other domains, some of which are ludicrously overpriced (anyone remember the .io hype?)

Secondly, regardless of where your site is hosted, you're also bound by the registrar's laws/restrictions (especially for ccTLDs), which doesn't make sense for something that is purely a routing mechanism that translates a name to an IP. It'd be fine if domain names were plentiful, but domain hacks[0] also make people use TLDs without regard to considering their territory or any implications.

The whole .org fiasco only proved further that this model with ICANN and for-profit registrars isn't tenable and a horrible fit for an open distributed internet. All these perverse incentives and political fuckery should not exist for something that is an essential part of a worldwide utility.

I'd love if HNers could share any promising alternatives to our current DNS system.

[0]: https://en.wikipedia.org/wiki/Domain_hack

I was just talking to a friend yesterday about "domain hacks" (where you spell some word using the TLD) in the context of country-code TLDs. Those raise some interesting issues for political reasons [1, 2].

For the newer TLDs like .soy, .pizza, .restaurant, etc. I really can't imagine that these would be adopted quickly. Even to me, these are barely recognized as URLs at all. And the possibility for domain name confusion really skyrockets, as demonstrated by the submission.

[1] https://priceonomics.com/the-rise-and-fall-of-ly/ [2] https://www.thewebmaster.com/hosting/2016/feb/27/io-tld-top-...

> google.com in Hebrew! And I could actually buy it. It bloody worked.

In a couple of weeks the follow-up "Google cancelled my Gmail account and won't tell me why"

(comment deleted)
Was driving to my local park when Android Auto directed me down a dark alley whereupon I was beaten by some hired goons.
> large sum of money

No, they will file a dispute and get them at registration cost, because they own the trademark.

Not always, i had for a few years the domain name of a top 10 website we all know, with a TLD for my country (.pt). I just kept it and did nothing with it and one day got a €30k offer.
Registering unambiguous trademark domains falls under the category of "play stupid games, win stupid prizes".
Could anything worse than losing out on the registration fees ever actually happen?
Yes. You might have to deal with the hassle and expense of being sued.

There's all downside and no upside to playing this particular stupid game.

I mean technically, maybe, but it's extremely unlikely that they'd sue without sending a C&D first. And given the lack of damage even if they did it'd likely get dismissed quickly with him just giving up the domain.

But... INAL and this is not legal advice.

The biggest trouble people get themselves into with this kind of thing is if they, upon being contacted by the company, ask for money instead of immediately offering to transfer the domain to them free of charge. At that point it's trademark cybersquatting and they have your own words in the email as proof.

Speaking from personal experience here: being on the end of any kind of notice with the threat of legal force, even if it's not a lawsuit yet, is the kind of stress you just don't need in your life.

If you actually caused say, reputational damage, you could be stuck with a lawsuit for more than just turning over the domain.
People have gotten in serious hot water over Internet traffic that was accidentally sent to them. Owning someone else's trademark as a domain name seems liable to increase the risk of that happening. Even if you aren't up to no good, you've now placed the onus on yourself of proving that you weren't, whereas if you weren't squatting on an obvious TM domain that wouldn't be true.
> People have gotten in serious hot water over Internet traffic that was accidentally sent to them.

You've piqued my curiosity. Any examples to share?

Absolutely. Some countries have laws against it, they could file in normal court (not UDRP). US the limit is $100,000 per domain under ACPA (https://en.wikipedia.org/wiki/Anticybersquatting_Consumer_Pr...)

Also if you lose one case, you are likely to have that used against you in the future (pattern of behavior). So any subsequent defense may be weaker in a system that already strongly favors TM holders.

Fun article, however: ".coms are slowly becoming less relevant" no they don't. They are becoming more relevant if anything.
I don't really agree with the premise of this post. Why should Netflix or Google have to buy a domain for every stupid gTLD that someone paid a few $100k to create? The author makes it sound like that's somehow an oversight on their part.

If anything, it's sad that they ended up having to own so many gTLDs just to prevent abuse.

I think that’s what he’s saying: that this system of hundreds of TLDs means that companies can easily miss one and that becomes a vector for phishing, etc. It sounded like he was blaming ICANN, not Netflix or Google.
The netflix.soy image is fantastic.
I used to work for a Big Media Company. They used to scramble to by BigMediaCompany.<new tld> whenever there was a new tld.

Then one day they stopped. The legal department decided that if someone were to buy it and use it in a way that infringed on their trademark, it would be cheaper/easier to sue or file an injunction.

For a while it was an extortion game. A new .tld like ".mobi" or ".music" would start, and they'd offer the names to fortune 500 trademark holders for $$$$$.

I own 인스타그램.닷컴, and (actually!) use it to share photos with my Korean friends.

But, uhh, I would certainly not decline if Facebook were to try to purchase it to make it reroute to Instagram.

I really like the landing page. heh.
I wonder if there is any SEO magic to having those domains. Might be worthwhile to test it out?
There's a terrible enterprise security product that can be configured by IT to quasi-MITM your company web traffic. Instead of relying on enterprises pushing their own trusted root certs and MITMing the whole session this terrible product redirects all traffic to (and I'm not kidding here) urls like "www.terriblesecuritycompanyname.com/www.originalurl.com" when the user accesses www.originalurl.com.

So this "enterprise security" company encourages end users to put information such as passwords into www.terriblesecuritycompanyname.com/owa.office365.com for example. Of course everyone has SSO enabled for Office 365 but everyone is also used to SSO sometimes breaking and falling back to forms based auth so people have no issue typing their passwords into any page that looks somewhat legit as long as the URL is close to what they expect and has a little lock next to it.

Anyway www.turriblesecuritycompanyname.com is available and I'm waiting for someone nefarious to purchase it and start sending phishing emails with links to www.turriblesecuritycompany.com/owa.office365.com embedded in them.

It depends on which ethical framework you subscribe to, but if I were in your shoes using my ethical framework, it seems like the small cost to me to purchasing an available domain (making the assumption here it's a standard buy and it's not one of those "make an offer for $10k" domains...) to mitigate a lot of potential hurt to other people would make me lean toward just purchasing the domain myself, or at least making the correct people aware. An equally valid counterexample would be a framework where you didn't cause the harm, so you have no obligation to intervene.
Your ethical framework in this case could clash with the arguably broken legal framework that we currently live in.

Buying a domain like that could get you into legal trouble once it is found out and people track sensitive traffic funneling to the domain. Even if you aren't doing anything with the information.

This, exactly.

One thing I've learned about "infosec" companies is that their litigiousness is inversely proportional to their actual level of security.

The similar domains I've seen are only $9 though so it's just a matter of time.

Wow, that sounds awful.

Do you know what they did (assuming not nothing) to have browsers continue to enforce the same-origin policy, and block www.terriblesecuritycompanyname.com/evilhacker.com from accessing cookies that belong to www.terriblesecuritycompanyname.com/owa.office365.com?

I haven't looked into it that deeply to see how (whether) they're handling same origin or cookie access. I assume they're doing some kind of magic other than just rewriting the URLs.

If you haven't been involved with enterprise information security you'd be surprised by how intrusive and poorly conceived these services are in a lot of cases. Tavis Ormandy and others have famously found many AV products to be running un-sandboxed untrusted javascript in kernel mode. In line web proxies have been found to do things like sign untrusted or revoked certs with a trusted root cert.

It's all pretty much a big grift to capitalize on companies' rightful cyber security fears.

> redirects all traffic to (and I'm not kidding here) urls like "www.terriblesecuritycompanyname.com/www.originalurl.com" when the user accesses www.originalurl.com.

What is the theoretical security feature they are selling by doing this?

The ability to block malware and phishing domains, insight to IT people about what sites are being visited, content filtering, etc. While most of this should be implemented in another way (like maybe a mandatory browser extension?), MITM is still the standard approach for many companies.
apple.beer is actually a pretty good domain name for a cider company. Not technically accurate of course, but pretty good from a marketing perspective.
> Did you know it costs a minimum of $185,000 to create your own domain name ending?

If I were a blackhat with money, I'd register the ".con" TLD.

... Sure hoping a whitehat gets it first.

At least it would be self-descriptive! :D