Interestingly, I recently saw a couple a couple of google.* domains available on Google Domains, including some reasonable-sounding ones: IIRC, google.tech (edit: google.page), google.business, and google.camp. Tried to purchase them but they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries…
More generally, however: all these TLDs are kind of stupid, and trying to make sure you own every single TLD for your business is similar to a protection racket where you have to pay just so something bad doesn't happen to you. Perhaps we should stop trying to make a billion of them.
Even better yet, it would be interesting if we just abandoned TLDs. There is no reason why http://google/ can't work, really, with a bunch of infrastructure changes.
.cm is a ccTLD, not a gTLD. All two-letter TLDs are ccTLDs and all 3+ letter TLDs are gTLDs. Countries have wide latitude to do whatever they want with their ccTLDs.
What happens if I have a computer on my network named ai? Wouldn't it cause a conflict?
I called my FreeNAS box freenas because I didn't feel very creative, and I can browse to it as http://freenas or http://freenas./ but if they took a domain of 'freenas' suddenly that means I have to do extra work and rename my stuff. Doesn't seem fair!
You should have used a reserved TLD like `.local'. If you set it as the local domain name `ai' and `ai.local' would work. `ai.' would not work, as the dot at the end tells it to look at the top level. (like the slash at the beginning of an absolute path)
Can you imagine all the search advertising Google would lose if they allowed just 'nike' and 'att' to resolve the websites in Chrome, rather than search results?
I was pondering about the idea of a browser extension for a sort of local DNS. Paying for domains could be ditched if everyone had a local copy of a database that mapped any character sequence (even emojis) to a server address that would get filled in by the extension in the url bar. Not sure if it would extend to mobile or all websites, but could work similar to a social network in the sense that you need to get the extension (i.e. access) first, and then you can find someone just by using a string that they've provided. Combined with something like Github pages it would offer a full free solution.
> they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries
My guess is that they were never available and there are doing a poor job of figuring out which domains are taken and which are not. I've been this in several other domain name search sites too, especially if there is no nameserver for a registered domain.
I think so too, because that's when they do the (presumably resource intensive) call to actually attempt the registration and they can update their "most likely available" list with this definitive data.
Which is most likely because registries are known for having poor infrastructure. If registrars can't see the name is taken from the registry, they will default to available.
I worked on some registrar-related stuff years ago now and even at that time, Verisign was known for having poor support of providing information about .com registrations.
> Which is most likely because registries are known for having poor infrastructure.
If people only knew that the internet was held together with bubblegum and duct tape...
Every fundamental layer has just crazy / old legacy foundations that are just incompatible with safe systems. Really opened my eyes when I saw how telco routing worked at the lowest levels.
>Interestingly, I recently saw a couple a couple of google.* domains available on Google Domains, including some reasonable-sounding ones: IIRC, google.tech, google.business, and google.camp. Tried to purchase them but they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries…
It must have been a bug in Google Domains, all three domains were registered ~5 years ago.
It could have been an interruption in connectivity with the registry operator(s) for those TLDs. When that happens, most registrars will at least attempt to buy domains they're currently unable to retrieve the status of. You only get charged if the domain actually ends up being created.
I have experienced this bug in Google Domains before (for non Google related domain names). Interestingly, it seems to particularly affect domains that are registered but unused.
This isn't isolated to Google Domains, however. GoDaddy's website let me go through the entire checkout process with 2 or 3 registered domain names, followed by a refund an hour later.
There is no way you'd get a "google" domain under any extension but even if you register a domain with "google" + something else you're going to lose it in a UDRP anyway.
It's possible that google and other major brand names don't have to register every extension, the names are just reserved for them alone, should they want them.
There was a dude a while back who registered google.com and gave it back when asked. I figured I might be able to do that and get a cool story to tell out of it.
He never registered google.com. google.com is hard-locked at the registry level by Verisign and has very high security manual safeguards around any changes that are made to it.
There was a temporary bug in Google Domains that made it appear as if he had bought google.com, but he had not.
Oh, this is available to anyone with a .com using a major registrar. I had misunderstood this to be some special feature only available to the domains that make up massive amounts of internet traffic like google.com.
There is likely to be even more scrutiny placed on any changes to domain names that employees of Verisign immediately recognize, such as "google.com". I imagine that would have to go through a very high level person at Verisign. It's in everyone's vested best interests here to not screw up something so visible as that.
The guy in the article was able to do it recently. Why not the person you were replying to? (Besides the fact that now the guy in the article has done them all)
there is the Trademark Clearinghouse which actually deals with these cases (by either automatically registering the domain for the trademark holder, or notifying them immediately if the domain is registered so they can take semi-automated action) [1]
Yeah, I don't recommend buying domains with trademarks in them, even for research (or similar) purposes.
I registered a domain name with a client's trademarked name in it as part of an authorized penetration test of that client a few years ago. At the end of the test, I asked if they wanted me to transfer it to them, and they didn't. A year later, when it expired and the domain privacy stuff went away, all of that automated enforcement machinery started running, and suddenly I was being threatened with all sorts of arbitration/court appearances if I didn't transfer the domain (which I no longer owned) to them. Took weeks to sort out, and that was with documentation that I'd bought the domain as part of a pen test the client had specifically agreed to.
Companies like Mark Monitor will buy all of the <yourbrand>.tld's for you-- and continually grab new ones (as the set of TLDs is constantly growing). At Netflix's size, I would assume they would've paid for such a service.
It's worth noting that MarkMonitor ownership has changed in recent years.
Regardless, they certainly can register all the names for you, if that's what you ask them to do, but at some point, there's an awful lot of names, and it feels extortiony to pay for them all. I was working for a MarkMonitor client when the 'landrush' for all these new tlds was happening, and we'd get frequent emails about which tlds were going live soon, so we could decide if we wanted foo.bike or foo.sexy or foo.personals, or whatever. And then, if we wanted to pay rediculous prices to get it early, or wait and see if we could get it at normal price (+ hefty MarkMonitor markup). We would almost certainly win a UDRP, but that's expensive too.
Then we got bought, and the new corporate overlords liked throwing money away on dumb domains, so foo.bike got registered by their team (and they had an actual domain team, so I got to shed that hat).
They're owned by a VC firm now, which I suspect means they'll need to change how they operate in order to show growth. That's not what I would want in a registrar I'm counting on for absolute stability of domain names for my hypothetical big/important company.
I wouldn't expect UDRP to allow a trademark holder to take down a site critical of the holder; I that's a legitimate use of the trademark, even if it's not approved or desired.
However, that's not really what most companies are worried about, they're worried about phishing or scams or misleading sites with their name; UDRP should allow those to be taken down fairly easily, although the question is always if it's less expensive to register the domain or to leave it unregistered and dispute it if it's misused.
There are now anti-domain squatting laws on the books, aside from more conventional trademark, etc., protections.
If any of the big names found someone using a clone domain and objected to it, the domain owner - I'd expect - would find themselves having a chat with keenly interested IP attorneys.
I felt the same when I wanted to pick my domain name: you're tempted to go for the traditional way of going with YourName, and then buy the .com or .org but what if you buy only one of them ? How does someone else know that YourName.io isn't your website if you don't buy it ?
My conclusion was that your domain name must not be in the form of YourName.tld; the tld must be part of your name. You can either use puns like buying yourna.me, but it's a bit weird for non-tech people, or you have to use the weirdness of tlds and go for something like lostin.space. There is less confusion at "what comes after" because there is only one.
"Did you know it costs a minimum of $185,000 to create your own domain name ending? For that kind of money, I think ICANN, the registries and registrar sites have a massive responsibility to ensure that this never happens."
No they don't.
The same problem exists with subdomains, for example some users may visit "netflix.trustworthy-sounding-domain.com" and not notice the issue.
Meanwhile, using a weird TLD can raise suspicion even for legitimate sites. Get a dot com.
netflix.trustworthy-sounding-domain.com isn't really the same though. If I own netflix.trustworthy-sounding-domain.com, I can create facebook.trustworthy-sounding-domain.com, google.trustworthy-sounding-domain.com, etc simply by creating new DNS records. No one but myself is involved, or even know they exist (unless I put links to them somewhere public).
On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.
Let me explain. The problem is that somebody malicious might impersonate another company through a domain name.
So they send people emails with URLs like "netflix.user-support.com" where "user-support.com" is owned by the malicious actor. This is extremely common.
I honestly don't see any other problem. How else would you get people to visit "netflix.soy", if not by the same mechanism? It doesn't matter who controls which part of the domain, users are either going to notice the odd parts of the domain, or they are not. The fact that one is a TLD and the other isn't doesn't really make a difference, at least for uncommon TLDs.
> On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.
Yes, but that wouldn't do anything to solve the problem. It would only make things more expensive. I honestly don't see the issue with anybody owning "netflix.soy" unless they're malicious, but in that case owning "netflix.anything-else.com" would be just as bad, if not worse. Since we can't really prevent the latter case, preventing the former case is moot.
gTLDs are nothing but a money play by ICANN and registrars and really make the internet a (slightly) more confusing and dangerous place. Within epsilon, all the money spent by companies on gTLDs is dead weight with no payoff in increased usability but only to prevent some naive user from being tricked.
The advice I give my non-techie friends is avoid going to any business website that is not a “.com”
> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”
You can't actually mean that?
Country TLD? (Eg .CA)
I'm actually pretty impressed by how the .CA registry (CIRA) has branded itself in Canada. There's even a bit more legitimacy for sites because it's clear they're operating in Canada (or have at least made an effort for Canadian representation).
Yeah, my default behaviour for any international company is to navigate to companyname.ca. Even if they don't use TLDs for their regional websites, it typically redirects to their Canadian site. (e.g. apple.ca redirects to apple.com/ca, microsoft.ca redirects to microsoft.com/en-ca, ikea.ca redirects to ikea.com/ca/en, etc.)
> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”
What about ".net"? It's a pretty old, established domain with many large companies using it (themeforest.net, cpanel.net, php.net, ovh.net, doubleclick.net)
Also ".io" usually hosts legit internet businesses.
I'm from Israel, and this is the first time I've heard about the .קום tld. I've never seen any website that uses it.
The author mentioned that creating a new tld costs a minimum of 185k USD. This makes me wonder who would pay this kind of money for this completely useless tld.
Perhaps government organizations ?
Also not all TLD's cost 185k to create, ccTLD were given free to each country to mange for example, similarly language specific common gTLD may have had special provisions for some countries to manage perhaps.
If they managed it for only $185k I'm impressed, maybe if you did several on the same infrastructure.
It's a gold mine offering. There was a long queue of people quite sure that .binglebongle would be the new .com. Sometimes it was a marginally less stupid plan, like we can be a regional alternative - and Russia even has one that's actually making money - it isn't taking over the world, but it's Cyrillic and was never intended to. But most gold mines never produce gold, they just suck up people's money and dreams and spit out the bones.
The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.
The Kerry Group for example owns several, as do some US financial outfits. Why? Because nobody who knew this was a stupid idea was in the room when it got decided.
> The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.
While everyone here has certainly heard of Softbank, I find it amusing that they have their own TLD too (with sites like https://group.softbank/).
I'm pretty pissed off that some TLDs went to the exclusive use of corporations. I really wanted a domain with .fox but its taken by the media corporation which doesn't use it for anything.
Afaik most of the new TLDs are hosted by a few specialized ISPs that have enough DNS infrastructure to comply with ICANN's standards. Apart from tech companies, nobody wants to maintain DNS servers.
That would only work if the Hebrew keyboard layout they were using had this mapping of letters. Most language layouts for non-Roman scripts don't optimize for phonetically approximating the corresponding English letters (presumably on a QWERTY layout).
If the keyboard was set to Hebrew then the subdomain would also be spelled out in the wrong characters, so the URL would be nonsense or go to a different site. Additionally, as people mentioned, the standard Hebrew layout is incompatible with QUERTY (I am a Hebrew speaker and have never heard of the phonetic Hebrew layout you linked to). Also when you type the URL the characters would be spelled out in the oppose right-to-left direction as .com.
Many national TLD holders (ccTLDs) control a TLD in local language.
.lk registry, for example, also controls .ලංකා and .இலங்கை (sounding "Lanka" "Ilangei" in Sinhalese and Tamil, the two other official languages in Sri Lanka), and they do not cost $185K. In fact, ccTLDs don't cost any money as far as I'm aware. DNS servers are run by the government funding but there is no cost to pay to ICANN.
Strange that Netflix hasn't drunk the Registry cool-aid and bought their "all-encompassing" TLD package which registers their trademark across all TLD's for a special price. On top of that, I'm doubly surprised Google hasn't taken action and already put this domain on hold in preemption of selling Netflix one of these deals.
That is a thing for at least one Registry that I know of (and worked for), I don't know if Google does the same, but I don't believe there is anything stopping them (please correct me if I'm wrong).
afaik there's nothing that requires registries to use a DPML and it doesn't really make sense unless they manage lots of TLDs, since the cost of adding your trademark to the DPML is usually a lot more than the cost of a single registration.
UDRP typically rules in favor of the holder of the unambiguous trademark in these kinds of cases. As an example, "Exxon Mobil" refers unambiguously to a single entity only, and has no other possible uses, so anyone registering exxonmobil.{anything} would lose if the company came after them. No one else has any right to that trademark, and ICANN enforces trademark rights on domains.
If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you.
Contrast this with the case of, e.g., McDonald, which is a widely used surname that predates the existence of the trademark. So long as you specifically aren't trying to cause confusion with the McDonalds restaurant trademark, you can use "mcdonalds" in a domain name.
Yes, but the argument GP responded to was that "ICANN enforces trademark rights on domains" and that "If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you."
He argues that the practice has its basis in trademark laws. If it is so, nominative use of a trademark to e.g. criticize a product is considered fair use and shouldn't be ruled out by ICANN on that basis. It either wouldn't be, or ICANN have some other basis than trademark law for their rulings.
So GP's point raises an interesting question. If you had registered e.g. "google.sucks" or something similar in which the FQDN arguably forms a valid nominative use in itself in good faith to use that domain to criticize Google's business decisions and products, does ICANN have some other policy outside respecting trademark law that would compel them to take the name back and give it to Google?
The answer to that question isn't "Free speech is a right issued by governments to the people". That's a pointless non sequitur at best, and I'm frankly tired of hearing it used in defense of huge monopolies that are well deserved of scrutiny in the interest of defending freedom of expression.
I agree in that perhaps entities with a public platform (in this case, literally the internet domain) should be compelled to provide reasonably equal access/equal speech rights to everybody.
However, the law is not in that rationale's favor. US courts have repeatedly rejected the argument that private companies are state actors subject to the 1st Amendment [0].
The reality is that the internet is governed almost entirely by private companies.
> I agree in that perhaps entities with a public platform (in this case, literally the internet domain) should be compelled to provide reasonably equal access/equal speech rights to everybody.
Agree with who? I said that I'm tired of seeing the defense, especially when it's in response to a concrete question that it doesn't answer. You apparently disagree with that entirely. I'm not tired of the defense because I don't understand it, I'm tired of it because I do understand it and don't need constant reminders of it to derail legitimate discussions of how ICANN deals with possibly trademark infringing uses of their services.
I don't know what makes you believe that I don't understand that and keep posting links irrelevant to how ICANN deals with these cases, which again is the question being asked. I'm frankly not sure how I didn't make that clear in my last reply.
You can see every domain with SUCKS in it filed against and the outcome. 66 Granted (complainant won). 35 Denied. 4 Split.
My favorite domain filed against from the list: guinness-beer-really-really-sucks.com also against the guy who got the anti cyber squatting legislation created by pointing disney typos to porn.
He admitted he only registered it because netflix didn't, and he had no other non netflix related website in mind to host there. I think that's borderline bad faith. Its not exactly good faith. If he had never heard of netflix he never would have registered it.
The article literally says that he only registered it because it clashed with an existing company. He didn't want the domain name for any other purpose.
A Google domain name is lying on the ground. An IT guy walks past it. A friend asks: "Didn't you see the Google domain name there?" The IT guy replies: "I thought I saw something, but I must've imagined it. If there had been a Google domain on the ground, someone would've picked it up."
For anyone unfamiliar, this is a clever riff on a classic economics joke about the Efficient Market Hypothesis [1].
"Two economists are walking down the street and one of them notices what appears to be a $20 bill (or a $100 bill—the monetary amounts vary) on the sidewalk. “It’s not a real $20 bill,” the other economist declares. “If it were a real $20 bill, someone would have picked it up off the sidewalk already.”
Except the $20 bill in this case is a $-10 bill (or whatever the domain name costs), as there is no profit to be made by registering a top company's trademark as a domain name.
He bought mikerowesoft.com though, not microsoft.soy. It would not have ended the way it did if he'd bought the latter. His case was a lot less clear cut than a blatant exact string match on an unambiguous trademark. Also, Mike Rowe is actually his name; Netflix is not this guy's name.
I think Nissan.com is more illustrative -- it was a guy named Nissan[1] who had an actual computer business in his name and got to keep it away from Nissan Motors, but now his site has a lot more to do bragging about his fight with the motor company than actual computer stuff.
[1] Hebrew/Israeli name usually transliterated as "Nisan"
Took a quick look at the case. I'm guessing some corp lawyer, maybe even general counsel, didn't have enough "real work" to do and needed to make a name for himself. Then it became a giant d* measuring contest.
Source: Went to law school. Never practiced though.
They got bad self-serving advice from lawyers. A lawyer doesn't get paid much if all they do is write up a contract for a private agreement to buy a domain, but they get paid a lot if the disagreement goes to trial instead.
No there isn't. Companies won't pay you money for having cybersquatted on their obvious trademark. You'll lose the domain flat out through UDRP.
The best outcome that can happen to you if you find yourself in such a situation is that you relinquish the domain name for free and nothing further comes from it.
Arbitration through UDRP is expensive, both in terms of process costs and employee time. A reasonable company would probably pay more than registration costs to avoid it.
You're underestimating how much value there is to companies in setting precedent on defending their trademark with an easy and practically guaranteed win. Companies need to proactively defend their trademark when it's being infringed upon or they risk losing it, and this is a really easy way to defend it.
Now this a valid reason to give your kid the surname of a brand. To get rich quick. Too bad that this also limits employment options in the long run (can you imagine Google to work for Amazon?)
>you also need to have used it in business already.
What is this based on? Because surely I have the right to own mylastname.suffix without being a business even if someone decides to make a business that bears my family name.
For the curious, .soy seems to be one of the more expensive TLDs. It's $34.54 at Gandhi, $25.98 at Namecheap, $35.99 at Network Solutions, and $20 at Goggle. (I also tried at Bluehost, HostGator, and Godaddy, but none of them seem to even offer .soy).
It looks like netflix.soy was registered via Google, so that would be a $-20 bill.
A domain can be either resold to another third party or could be sold to the trademark owner itself. You might reach a price agreement that brings you some money and costs the trademark owner less than getting a lawyer involved.
A little anecdote. I actually had this exact situation happen to me when I was a kid.
I was walking in a crowded street just outside a shopping center and there where a bunch of $50 bills being blowed by the wind. No one was paying any attention to them so I picked one of them up. You can imagine my surprise when I realised that they were real.
All in all it ended up to be roughly $3000 and my mum took the money to the police station. No one claimed it and a few months later we got to keep it.
I don't doubt google would attempt to do this, and probably win simply by being able to out resource an individual who registered the domain, however, my limited understanding of trademark law is this wouldn't necessarily be a valid claim.
My understanding is trademarks are a protection against consumer confusion, so as long as companies aren't selling similar products or services, or competing in the same geography there isn't a problem. This is difficult with google, but a non-tech scuba company operating under google.scuba or googlescuba.com wouldn't necessarily infringe on google the tech company unless they're actively doing something to make consumer believe they're dealing with google the tech company.
Google is difficult with it's large breadth of interests, but for most tech companies this is likely more about exploiting flaws with the legal system by out resourcing opponents more than legitimate claims (thinking the oracles, salesforces, dells, Intels, etc).
IANAL but I'm pretty sure those examples could still be trademark infringement. Since Google is a global company and brand, someone could easily assume since your site is called google.scuba or googlescuba.com, you are in some way affiliated with or endorsed by Google. Perhaps you'd be OK if you made it very clear that wasn't the case, but I wouldn't want to bet on it.
I don't know what legal relationship it has to US trademark law, if any, but I've heard ICANN has its own sort of arbitration process for domain squatting disputes.
There's a bunch of good TLD's available every week on https://www.namebase.io/ for a lot less than ICANN charges. For example recently someone got the js/ TLD for about $19k in HNS. (compare that to ICANN's $200k application fee)
Namebase is built on the Handshake protocol - a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. (https://handshake.org/)
So… these aren't accessible without specially configured DNS, right? Given that the point of domains is to let people get to your site, a TLD only accessible after reconfiguring your computer to use a little-known DNS competitor seems worth a hell of a lot less than $19,000.
The whole framework arounds TLDs is very strange to me. One one hand, opening up all these gTLDs was supposed to alleviate problems with domain parking and name clashes (e.g. you could disambiguate your .blog from a .pizza restaurant). But all this did was shift the parking to other domains, some of which are ludicrously overpriced (anyone remember the .io hype?)
Secondly, regardless of where your site is hosted, you're also bound by the registrar's laws/restrictions (especially for ccTLDs), which doesn't make sense for something that is purely a routing mechanism that translates a name to an IP. It'd be fine if domain names were plentiful, but domain hacks[0] also make people use TLDs without regard to considering their territory or any implications.
The whole .org fiasco only proved further that this model with ICANN and for-profit registrars isn't tenable and a horrible fit for an open distributed internet. All these perverse incentives and political fuckery should not exist for something that is an essential part of a worldwide utility.
I'd love if HNers could share any promising alternatives to our current DNS system.
I was just talking to a friend yesterday about "domain hacks" (where you spell some word using the TLD) in the context of country-code TLDs. Those raise some interesting issues for political reasons [1, 2].
For the newer TLDs like .soy, .pizza, .restaurant, etc. I really can't imagine that these would be adopted quickly. Even to me, these are barely recognized as URLs at all. And the possibility for domain name confusion really skyrockets, as demonstrated by the submission.
Not always, i had for a few years the domain name of a top 10 website we all know, with a TLD for my country (.pt). I just kept it and did nothing with it and one day got a €30k offer.
I mean technically, maybe, but it's extremely unlikely that they'd sue without sending a C&D first. And given the lack of damage even if they did it'd likely get dismissed quickly with him just giving up the domain.
The biggest trouble people get themselves into with this kind of thing is if they, upon being contacted by the company, ask for money instead of immediately offering to transfer the domain to them free of charge. At that point it's trademark cybersquatting and they have your own words in the email as proof.
Speaking from personal experience here: being on the end of any kind of notice with the threat of legal force, even if it's not a lawsuit yet, is the kind of stress you just don't need in your life.
People have gotten in serious hot water over Internet traffic that was accidentally sent to them. Owning someone else's trademark as a domain name seems liable to increase the risk of that happening. Even if you aren't up to no good, you've now placed the onus on yourself of proving that you weren't, whereas if you weren't squatting on an obvious TM domain that wouldn't be true.
Also if you lose one case, you are likely to have that used against you in the future (pattern of behavior). So any subsequent defense may be weaker in a system that already strongly favors TM holders.
I don't really agree with the premise of this post. Why should Netflix or Google have to buy a domain for every stupid gTLD that someone paid a few $100k to create? The author makes it sound like that's somehow an oversight on their part.
If anything, it's sad that they ended up having to own so many gTLDs just to prevent abuse.
I think that’s what he’s saying: that this system of hundreds of TLDs means that companies can easily miss one and that becomes a vector for phishing, etc. It sounded like he was blaming ICANN, not Netflix or Google.
I used to work for a Big Media Company. They used to scramble to by BigMediaCompany.<new tld> whenever there was a new tld.
Then one day they stopped. The legal department decided that if someone were to buy it and use it in a way that infringed on their trademark, it would be cheaper/easier to sue or file an injunction.
For a while it was an extortion game. A new .tld like ".mobi" or ".music" would start, and they'd offer the names to fortune 500 trademark holders for $$$$$.
There's a terrible enterprise security product that can be configured by IT to quasi-MITM your company web traffic. Instead of relying on enterprises pushing their own trusted root certs and MITMing the whole session this terrible product redirects all traffic to (and I'm not kidding here) urls like "www.terriblesecuritycompanyname.com/www.originalurl.com" when the user accesses www.originalurl.com.
So this "enterprise security" company encourages end users to put information such as passwords into www.terriblesecuritycompanyname.com/owa.office365.com for example. Of course everyone has SSO enabled for Office 365 but everyone is also used to SSO sometimes breaking and falling back to forms based auth so people have no issue typing their passwords into any page that looks somewhat legit as long as the URL is close to what they expect and has a little lock next to it.
Anyway www.turriblesecuritycompanyname.com is available and I'm waiting for someone nefarious to purchase it and start sending phishing emails with links to www.turriblesecuritycompany.com/owa.office365.com embedded in them.
It depends on which ethical framework you subscribe to, but if I were in your shoes using my ethical framework, it seems like the small cost to me to purchasing an available domain (making the assumption here it's a standard buy and it's not one of those "make an offer for $10k" domains...) to mitigate a lot of potential hurt to other people would make me lean toward just purchasing the domain myself, or at least making the correct people aware. An equally valid counterexample would be a framework where you didn't cause the harm, so you have no obligation to intervene.
Your ethical framework in this case could clash with the arguably broken legal framework that we currently live in.
Buying a domain like that could get you into legal trouble once it is found out and people track sensitive traffic funneling to the domain. Even if you aren't doing anything with the information.
Do you know what they did (assuming not nothing) to have browsers continue to enforce the same-origin policy, and block www.terriblesecuritycompanyname.com/evilhacker.com from accessing cookies that belong to www.terriblesecuritycompanyname.com/owa.office365.com?
I haven't looked into it that deeply to see how (whether) they're handling same origin or cookie access. I assume they're doing some kind of magic other than just rewriting the URLs.
If you haven't been involved with enterprise information security you'd be surprised by how intrusive and poorly conceived these services are in a lot of cases. Tavis Ormandy and others have famously found many AV products to be running un-sandboxed untrusted javascript in kernel mode. In line web proxies have been found to do things like sign untrusted or revoked certs with a trusted root cert.
It's all pretty much a big grift to capitalize on companies' rightful cyber security fears.
> redirects all traffic to (and I'm not kidding here) urls like "www.terriblesecuritycompanyname.com/www.originalurl.com" when the user accesses www.originalurl.com.
What is the theoretical security feature they are selling by doing this?
The ability to block malware and phishing domains, insight to IT people about what sites are being visited, content filtering, etc. While most of this should be implemented in another way (like maybe a mandatory browser extension?), MITM is still the standard approach for many companies.
apple.beer is actually a pretty good domain name for a cider company. Not technically accurate of course, but pretty good from a marketing perspective.
271 comments
[ 2.9 ms ] story [ 254 ms ] threadMore generally, however: all these TLDs are kind of stupid, and trying to make sure you own every single TLD for your business is similar to a protection racket where you have to pay just so something bad doesn't happen to you. Perhaps we should stop trying to make a billion of them.
"dk’s server IP address could not be found."
Perhaps that will work.
I maintain a list at captnemo.in/tld-a-record
Google was pointing its TLDs to 127.0.0.53, and once they started using the TLDs actively, they removed the records.
http://to./ used to be a URL shortener.
Either the rules on ccTLDs are different, or it's a recentish crackdown.
Some ccTLDS voluntarily agree to abide by the same rules and operational requirements as the gTLDs - https://www.icann.org/resources/pages/cctld-2012-02-25-en has more details.
This means, for example, than ccTLDs aren’t bound by the findings from SAC053 at https://www.icann.org/en/system/files/files/sac-053-en.pdf which have been included in the gTLD contracts.
I called my FreeNAS box freenas because I didn't feel very creative, and I can browse to it as http://freenas or http://freenas./ but if they took a domain of 'freenas' suddenly that means I have to do extra work and rename my stuff. Doesn't seem fair!
Can you imagine all the search advertising Google would lose if they allowed just 'nike' and 'att' to resolve the websites in Chrome, rather than search results?
My guess is that they were never available and there are doing a poor job of figuring out which domains are taken and which are not. I've been this in several other domain name search sites too, especially if there is no nameserver for a registered domain.
I worked on some registrar-related stuff years ago now and even at that time, Verisign was known for having poor support of providing information about .com registrations.
If people only knew that the internet was held together with bubblegum and duct tape...
Every fundamental layer has just crazy / old legacy foundations that are just incompatible with safe systems. Really opened my eyes when I saw how telco routing worked at the lowest levels.
It must have been a bug in Google Domains, all three domains were registered ~5 years ago.
This isn't isolated to Google Domains, however. GoDaddy's website let me go through the entire checkout process with 2 or 3 registered domain names, followed by a refund an hour later.
It's possible that google and other major brand names don't have to register every extension, the names are just reserved for them alone, should they want them.
There was a temporary bug in Google Domains that made it appear as if he had bought google.com, but he had not.
https://www.verisign.com/en_US/channel-resources/domain-regi... https://krebsonsecurity.com/2020/01/does-your-domain-have-a-...
It's a recommended best-practice for high-value sites, which the main website of any Fortune 500 company certainly falls under.
The guy in the article did in fact buy a google.tld - https://google.xn--9dbq2a/
So because they could do it, anyone who points out it's not possible now should be downvoted and asked to explain themselves with:
Why is it not possible, beside the fact that it's not possible?
[Edited to remove excess frustration/annoyance/snark at people quibbling so much about a totally inconsequential and factual remark.]
[1] https://newgtlds.icann.org/en/about/trademark-clearinghouse
I registered a domain name with a client's trademarked name in it as part of an authorized penetration test of that client a few years ago. At the end of the test, I asked if they wanted me to transfer it to them, and they didn't. A year later, when it expired and the domain privacy stuff went away, all of that automated enforcement machinery started running, and suddenly I was being threatened with all sorts of arbitration/court appearances if I didn't transfer the domain (which I no longer owned) to them. Took weeks to sort out, and that was with documentation that I'd bought the domain as part of a pen test the client had specifically agreed to.
Regardless, they certainly can register all the names for you, if that's what you ask them to do, but at some point, there's an awful lot of names, and it feels extortiony to pay for them all. I was working for a MarkMonitor client when the 'landrush' for all these new tlds was happening, and we'd get frequent emails about which tlds were going live soon, so we could decide if we wanted foo.bike or foo.sexy or foo.personals, or whatever. And then, if we wanted to pay rediculous prices to get it early, or wait and see if we could get it at normal price (+ hefty MarkMonitor markup). We would almost certainly win a UDRP, but that's expensive too.
Then we got bought, and the new corporate overlords liked throwing money away on dumb domains, so foo.bike got registered by their team (and they had an actual domain team, so I got to shed that hat).
However, that's not really what most companies are worried about, they're worried about phishing or scams or misleading sites with their name; UDRP should allow those to be taken down fairly easily, although the question is always if it's less expensive to register the domain or to leave it unregistered and dispute it if it's misused.
If any of the big names found someone using a clone domain and objected to it, the domain owner - I'd expect - would find themselves having a chat with keenly interested IP attorneys.
Wouldn't surprise me if big tech like Google does the same.
My conclusion was that your domain name must not be in the form of YourName.tld; the tld must be part of your name. You can either use puns like buying yourna.me, but it's a bit weird for non-tech people, or you have to use the weirdness of tlds and go for something like lostin.space. There is less confusion at "what comes after" because there is only one.
No they don't.
The same problem exists with subdomains, for example some users may visit "netflix.trustworthy-sounding-domain.com" and not notice the issue.
Meanwhile, using a weird TLD can raise suspicion even for legitimate sites. Get a dot com.
On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.
So they send people emails with URLs like "netflix.user-support.com" where "user-support.com" is owned by the malicious actor. This is extremely common.
I honestly don't see any other problem. How else would you get people to visit "netflix.soy", if not by the same mechanism? It doesn't matter who controls which part of the domain, users are either going to notice the odd parts of the domain, or they are not. The fact that one is a TLD and the other isn't doesn't really make a difference, at least for uncommon TLDs.
> On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.
Yes, but that wouldn't do anything to solve the problem. It would only make things more expensive. I honestly don't see the issue with anybody owning "netflix.soy" unless they're malicious, but in that case owning "netflix.anything-else.com" would be just as bad, if not worse. Since we can't really prevent the latter case, preventing the former case is moot.
The advice I give my non-techie friends is avoid going to any business website that is not a “.com”
You can't actually mean that? Country TLD? (Eg .CA) I'm actually pretty impressed by how the .CA registry (CIRA) has branded itself in Canada. There's even a bit more legitimacy for sites because it's clear they're operating in Canada (or have at least made an effort for Canadian representation).
What about ".net"? It's a pretty old, established domain with many large companies using it (themeforest.net, cpanel.net, php.net, ovh.net, doubleclick.net)
Also ".io" usually hosts legit internet businesses.
Ha. Do you give these friends other advice of the same calibre? I wonder what they think of you.
"If you've got a choice of brands, you can't go wrong with Trump, it's a sign of quality"
"The smaller the house, the bigger the dog you want, if you've got a tiny apartment buy a Great Dane or a Newfoundland, that way it's cosy"
"There's no such thing as too much salt. When cooking don't bother tasting it, just add twice as much as you think you need"
The author mentioned that creating a new tld costs a minimum of 185k USD. This makes me wonder who would pay this kind of money for this completely useless tld.
[0]: https://icannwiki.org/.%D7%A7%D7%95%D6%B9%D7%9D
[1]: https://gtldresult.icann.org/applicationstatus/applicationde...
It's a gold mine offering. There was a long queue of people quite sure that .binglebongle would be the new .com. Sometimes it was a marginally less stupid plan, like we can be a regional alternative - and Russia even has one that's actually making money - it isn't taking over the world, but it's Cyrillic and was never intended to. But most gold mines never produce gold, they just suck up people's money and dreams and spit out the bones.
The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.
The Kerry Group for example owns several, as do some US financial outfits. Why? Because nobody who knew this was a stupid idea was in the room when it got decided.
While everyone here has certainly heard of Softbank, I find it amusing that they have their own TLD too (with sites like https://group.softbank/).
not until your comment had I heard of "softbank"
That actually seems quite useful, if people are typing not realizing the keyboard is set to Hebrew.
It appears that they don't match to the TLD letters here: https://en.wikipedia.org/wiki/Hebrew_keyboard
The Hebrew keyboard layout has no relation to QWERTY in terms of phonetics.
Usually used by non-native Hebrew speakers.
> 'בםצ' (which is not even pronounceable)
Sounds like a new snack from Osem :)
.lk registry, for example, also controls .ලංකා and .இலங்கை (sounding "Lanka" "Ilangei" in Sinhalese and Tamil, the two other official languages in Sri Lanka), and they do not cost $185K. In fact, ccTLDs don't cost any money as far as I'm aware. DNS servers are run by the government funding but there is no cost to pay to ICANN.
That's a thing? What's preventing a predatory registry from being a holdout and demanding exorbitant prices?
afaik there's nothing that requires registries to use a DPML and it doesn't really make sense unless they manage lots of TLDs, since the cost of adding your trademark to the DPML is usually a lot more than the cost of a single registration.
How were they registered in bad faith? He's not extorting money from netfilx, nor is he trying to deceive people into thinking he's neflix.
If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you.
Contrast this with the case of, e.g., McDonald, which is a widely used surname that predates the existence of the trademark. So long as you specifically aren't trying to cause confusion with the McDonalds restaurant trademark, you can use "mcdonalds" in a domain name.
Which is what happened to nissan.com
It is not a valid concept between two private parties.
https://money.cnn.com/2017/08/08/technology/google-workplace...
He argues that the practice has its basis in trademark laws. If it is so, nominative use of a trademark to e.g. criticize a product is considered fair use and shouldn't be ruled out by ICANN on that basis. It either wouldn't be, or ICANN have some other basis than trademark law for their rulings.
So GP's point raises an interesting question. If you had registered e.g. "google.sucks" or something similar in which the FQDN arguably forms a valid nominative use in itself in good faith to use that domain to criticize Google's business decisions and products, does ICANN have some other policy outside respecting trademark law that would compel them to take the name back and give it to Google?
The answer to that question isn't "Free speech is a right issued by governments to the people". That's a pointless non sequitur at best, and I'm frankly tired of hearing it used in defense of huge monopolies that are well deserved of scrutiny in the interest of defending freedom of expression.
However, the law is not in that rationale's favor. US courts have repeatedly rejected the argument that private companies are state actors subject to the 1st Amendment [0].
The reality is that the internet is governed almost entirely by private companies.
https://crsreports.congress.gov/product/pdf/R/R45650
Agree with who? I said that I'm tired of seeing the defense, especially when it's in response to a concrete question that it doesn't answer. You apparently disagree with that entirely. I'm not tired of the defense because I don't understand it, I'm tired of it because I do understand it and don't need constant reminders of it to derail legitimate discussions of how ICANN deals with possibly trademark infringing uses of their services.
I don't know what makes you believe that I don't understand that and keep posting links irrelevant to how ICANN deals with these cases, which again is the question being asked. I'm frankly not sure how I didn't make that clear in my last reply.
You can see every domain with SUCKS in it filed against and the outcome. 66 Granted (complainant won). 35 Denied. 4 Split.
My favorite domain filed against from the list: guinness-beer-really-really-sucks.com also against the guy who got the anti cyber squatting legislation created by pointing disney typos to porn.
The article literally says that he only registered it because it clashed with an existing company. He didn't want the domain name for any other purpose.
"Two economists are walking down the street and one of them notices what appears to be a $20 bill (or a $100 bill—the monetary amounts vary) on the sidewalk. “It’s not a real $20 bill,” the other economist declares. “If it were a real $20 bill, someone would have picked it up off the sidewalk already.”
[1]: https://www.barrypopik.com/index.php/new_york_city/entry/if_...
[1] Hebrew/Israeli name usually transliterated as "Nisan"
Surely they can afford it.
Source: Went to law school. Never practiced though.
Yes, they were here first.
The best outcome that can happen to you if you find yourself in such a situation is that you relinquish the domain name for free and nothing further comes from it.
And that costs money.
They've had the domain for years.
Happens all the time, as many brand names come from family names and the founder isn't the only person bearing that name.
What is this based on? Because surely I have the right to own mylastname.suffix without being a business even if someone decides to make a business that bears my family name.
There was famously an apple store employee called "Sam Sung" - https://www.cultofmac.com/290116/sam-sung-auctioning-apple-s...
For the curious, .soy seems to be one of the more expensive TLDs. It's $34.54 at Gandhi, $25.98 at Namecheap, $35.99 at Network Solutions, and $20 at Goggle. (I also tried at Bluehost, HostGator, and Godaddy, but none of them seem to even offer .soy).
It looks like netflix.soy was registered via Google, so that would be a $-20 bill.
A domain can be either resold to another third party or could be sold to the trademark owner itself. You might reach a price agreement that brings you some money and costs the trademark owner less than getting a lawyer involved.
I was walking in a crowded street just outside a shopping center and there where a bunch of $50 bills being blowed by the wind. No one was paying any attention to them so I picked one of them up. You can imagine my surprise when I realised that they were real.
All in all it ended up to be roughly $3000 and my mum took the money to the police station. No one claimed it and a few months later we got to keep it.
google.pizza, google.yoga, google.keyboard will all be trivially easy for Google to claim trademark infringement for.
So while it's cute that you can register "google.soy" -- if Google cares enough they'll take if from you.
aka domain names.
My understanding is trademarks are a protection against consumer confusion, so as long as companies aren't selling similar products or services, or competing in the same geography there isn't a problem. This is difficult with google, but a non-tech scuba company operating under google.scuba or googlescuba.com wouldn't necessarily infringe on google the tech company unless they're actively doing something to make consumer believe they're dealing with google the tech company.
Google is difficult with it's large breadth of interests, but for most tech companies this is likely more about exploiting flaws with the legal system by out resourcing opponents more than legitimate claims (thinking the oracles, salesforces, dells, Intels, etc).
See: https://en.m.wikipedia.org/wiki/Trademark_dilution
In fact, they're the only good argument in favour of expanded TLDs that I can think of.
Namebase is built on the Handshake protocol - a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. (https://handshake.org/)
Secondly, regardless of where your site is hosted, you're also bound by the registrar's laws/restrictions (especially for ccTLDs), which doesn't make sense for something that is purely a routing mechanism that translates a name to an IP. It'd be fine if domain names were plentiful, but domain hacks[0] also make people use TLDs without regard to considering their territory or any implications.
The whole .org fiasco only proved further that this model with ICANN and for-profit registrars isn't tenable and a horrible fit for an open distributed internet. All these perverse incentives and political fuckery should not exist for something that is an essential part of a worldwide utility.
I'd love if HNers could share any promising alternatives to our current DNS system.
[0]: https://en.wikipedia.org/wiki/Domain_hack
For the newer TLDs like .soy, .pizza, .restaurant, etc. I really can't imagine that these would be adopted quickly. Even to me, these are barely recognized as URLs at all. And the possibility for domain name confusion really skyrockets, as demonstrated by the submission.
[1] https://priceonomics.com/the-rise-and-fall-of-ly/ [2] https://www.thewebmaster.com/hosting/2016/feb/27/io-tld-top-...
In a couple of weeks the follow-up "Google cancelled my Gmail account and won't tell me why"
No, they will file a dispute and get them at registration cost, because they own the trademark.
There's all downside and no upside to playing this particular stupid game.
But... INAL and this is not legal advice.
Speaking from personal experience here: being on the end of any kind of notice with the threat of legal force, even if it's not a lawsuit yet, is the kind of stress you just don't need in your life.
You've piqued my curiosity. Any examples to share?
Also if you lose one case, you are likely to have that used against you in the future (pattern of behavior). So any subsequent defense may be weaker in a system that already strongly favors TM holders.
If anything, it's sad that they ended up having to own so many gTLDs just to prevent abuse.
Then one day they stopped. The legal department decided that if someone were to buy it and use it in a way that infringed on their trademark, it would be cheaper/easier to sue or file an injunction.
For a while it was an extortion game. A new .tld like ".mobi" or ".music" would start, and they'd offer the names to fortune 500 trademark holders for $$$$$.
But, uhh, I would certainly not decline if Facebook were to try to purchase it to make it reroute to Instagram.
So this "enterprise security" company encourages end users to put information such as passwords into www.terriblesecuritycompanyname.com/owa.office365.com for example. Of course everyone has SSO enabled for Office 365 but everyone is also used to SSO sometimes breaking and falling back to forms based auth so people have no issue typing their passwords into any page that looks somewhat legit as long as the URL is close to what they expect and has a little lock next to it.
Anyway www.turriblesecuritycompanyname.com is available and I'm waiting for someone nefarious to purchase it and start sending phishing emails with links to www.turriblesecuritycompany.com/owa.office365.com embedded in them.
Buying a domain like that could get you into legal trouble once it is found out and people track sensitive traffic funneling to the domain. Even if you aren't doing anything with the information.
One thing I've learned about "infosec" companies is that their litigiousness is inversely proportional to their actual level of security.
The similar domains I've seen are only $9 though so it's just a matter of time.
Do you know what they did (assuming not nothing) to have browsers continue to enforce the same-origin policy, and block www.terriblesecuritycompanyname.com/evilhacker.com from accessing cookies that belong to www.terriblesecuritycompanyname.com/owa.office365.com?
If you haven't been involved with enterprise information security you'd be surprised by how intrusive and poorly conceived these services are in a lot of cases. Tavis Ormandy and others have famously found many AV products to be running un-sandboxed untrusted javascript in kernel mode. In line web proxies have been found to do things like sign untrusted or revoked certs with a trusted root cert.
It's all pretty much a big grift to capitalize on companies' rightful cyber security fears.
What is the theoretical security feature they are selling by doing this?
If I were a blackhat with money, I'd register the ".con" TLD.
... Sure hoping a whitehat gets it first.
There are guidelines provided by icann
http://archive.icann.org/en/topics/new-gtlds/comments-en.htm