92 comments

[ 3.7 ms ] story [ 167 ms ] thread
I used to think it was .onion. I owned my .onion domains in the sense than only I had the private key that corresponded to the hash that was my brute forced vanity domain. I thought that meant I had control over them. I was wrong.

It turns out that even in p2p networks if there's one one dominant development group then that group owns your domains. The Tor Project decided that tor v2, with all it's potential exploits, could not exist alongside tor v3 and so all the tor v2 domains will disappear to the official tor clients this october 26th.

I don't own my .onions so I won't be making v3 sites.

You literally explain in your comment that you’re mad that you can’t continue to use a known vulnerable system which has been out of vogue for years. I’m confused.
They also explain why, so no need to be confused.
An explanation which makes no sense isn't a good explanation.
Most people hear "tor" and they immediately think of illegal, shady stuff. And yeah, there's a lot of that there. So, for the last decade The Tor Project has been promoting onion sevices as a thing for everyone and that people should put their normal sites on tor too. There's more normal people than shady people and if we all use tor it could legitimize it.

Well, I did. I really put all my normal sites on tor too as hidden services. And I got a lot of traffic, even after I stripped out the bots that made up 3/4 of it. My usage didn't really depend on absolute security. Even with the possible hash collisions it was safer than giving all trust to some centralized corporation at the start. So, I wanted to keep using it.

But the tor projects real priorities, obviously, lie with absolute security. They were never serious about making tor and onion services a place for everyone. They only care about the people that care about security to the detriment of all else.

So... knowing this, I'll stop using tor for my websites since it's only for security first and only types.

> Most people hear “tor” and they immediately think of illegal, shady stuff.

To be fair, the US intelligence community created it for (what is, from the perspective of the governments in whose juridiction the actions were to be carried out, at least) extremely illegal, shady stuff, and relies on lots of people using it, including for other illegal, shady stuff, to make use for and concealment of the kind of illegal, shady stuff it is meant for effective.

So, that’s exactly what people should think. All other use is incidental and supportive of the primary purpose.

You do have control over them because, indeed, you have the private keys (and the NSA too, reminds me of the Facebook setting "only me+NSA" (only three quarters joking)). You want to run v2 domains? Go ahead, but the people that want to visit your legacy addresses must use the legacy software. It seems like an inherent risk with software-controlled domains that the (old) software (version) might not be used anymore.
Just googled "only me+nsa" and got literally 4 results.

Huh.

Got a screenshot or citation for that? Very curious, never used facebook.

It's a meme where a screenshot of fb post visibility settings is edited to change the "only me" option to "only me and the NSA"
Ah :D. Definitely fell for that one, thought for a moment that maybe it existed at the very start or something.
You still have control over your v2 address, you just can't force others to use it with their software.
They have, since 2018.

Given the exploits in the v2 onion sites, (suitably modified HSDirs being able to discover them and whatnot) the writing has been on the wall since well before then and it shouldn't be a surprise that they're going away.

(comment deleted)
Well that was abrupt. I was just getting into it, hit pagedown, and promptly hit the bottom of the page where the EU was dismissed and Iceland promptly declared victorious (together with .onion to which no laws apply in the first place).

What's wrong with Switzerland? Norway? I know very little about Chad or Japan or Micronesia, perhaps they have great TLD rules as well? Heck, what even was the issue with the EU in the first place? I can think of GDPR as being seen as problematic in some constrained context, but privacy rules don't apply to TLD ownership so this reader is just left wondering.

They kind of do actually, most TLDs AFAIK need to resolve to some sort of registered person or organization eventually.
Is Iceland the only country that does not? This would have been interesting info for the article.
According to ISNICs bylaws they do have a dispute mechanism:

  Article 31

  A Board of Appeals handles disputes regarding the registration of domains. The Board of Appeals is autonomous and independent. ISNIC carries out decisions of the Board within 10 days after they have been passed or on the next business day thereafter, if the current registrant does not accept the verdict. ISNIC will not carry out the Board of Appeal's judgements if legal proceedings have been instigated in respect of the same issue or an injunction been placed on the use of the domain in question before the Board of Appeals has reached a decision. Cases involving the registration of domains or refusal to register domains may be referred to the Board of Appeals.
I have domains on a European ccTLD. This is what they "resolve to":

holder.............: Private person

registrar..........: Private person

The registrar's name (that's me) used to be visible but that changed with stronger privacy requirements, soon after GDPR.

European trademark & hate speech laws (plus dns blocking of various domains associated with pornography or piracy) probably still apply so .is could be a free-er choice.

It's still registered though. Check any .nl domain on https://sidn.nl/en (you could try to put 'rop' in the 'check domain name' box), you just need to set a checkmark and agree to the Google terms of service to resolve their captcha and off you go.
Of course a domain is registered if it's registered.

It's just that different countries offer different degrees of privacy for the holder.

Sure but I mean it's centrally registered in the central WHOIS database. Of course the registrar has whatever data you put in their order form, that's obvious enough; what I mean is that they still forward your personal info to a central registry and the only thing GDPR changed about the WHOIS database is output filtering, or in SIDN's case not even that. I find it totally weird and invasive that this must be centrally registered in the first place (I grew up with my parents telling me not to use my real name anywhere online, let alone put it in a public database; maybe the problem is that I wanted a domain as a teenager and now it weirds me out?). Using privacy options means my paid-for domain is now not legally mine and I can't make use of any dispute procedure because the registry organisation has nothing in place for when my real name is not tracked in their database.
How can you expect it to be legally yours if your name isn't even recorded as being the owner anywhere? It seems like you have two fundamentally exclusive desires here: Complete anonymity, but also bulletproof ownership. I guess there's some blockchain solutions that meet your requirements, but no one uses them.

Nope also that e.g. land ownership is recorded and publicly accessible.

> I guess there's some blockchain solutions

Hah, but nah, way simpler: submit a hash. No chain that needs to be kept alive, just a simple old commitment scheme[1]. Or even just a name that you pick for yourself: similar to how authors can have the benefits of copyright without revealing their real name, why ought one not be able to operate lucb1e.com under the worldwide unique nickname lucb1e?

[1] https://en.wikipedia.org/wiki/Commitment_scheme

For .ca in Canada, which is administered by CIRA which is a non-profit corporation, the following is the policy:

--

When doing a WHOIS lookup, you can find details such as:

Status (i.e. if a domain is currently available or registered)

The creation, expiry, and updated dates

Registrar information

Registrant information*

Administrative, Technical and Billing Contacts*

*The registrant name and administrative and technical contact information of non-individual registrants, such as corporations, is displayed by default. The registrant name and administrative and technical contact information of individuals, such as Canadian citizens or permanent residents is not displayed in WHOIS per the CIRA Privacy Policy. Generally non-individuals are public and individuals are private.

--

* https://www.cira.ca/ca-domains/whois

I had an interesting experience with the registrar of a less-known ccTLD. I was happy to get my company’s three-letter domain at a fitting ccTLD, and had reluctantly accepted that the TLD doesn’t allow WHOIS privacy. Shortly thereafter I was straightening out a name server issue out with my registrar and I mentioned the WHOIS privacy bummer. Their response was something like “Oh, no problem. I’ll change it.”

Our WHOIS entry now has our registrar’s version of “Domains by Proxy” as the contact, despite the ccTLD not allowing Whois privacy. (And it was free.)

You do realize the article is referencing the linked EFF comparison?

https://www.eff.org/files/2017/08/02/domain_registry_whitepa...

Then only the TLDs are listed which "only avenue for domain takedown is through a local court, rather than through an arbitrator order or trusted notifier".

Additionally countries that are part of the 5 eyes, 9 eyes or 15 eyes, see picture at the top of the article, are out, too.

For the EU part, I think it has to do with the EU tendency of surveillance laws. On the one hand the EU claims privacy and security as a main goal and the other hand they try to backdoor E2E encrypted messengers.

Ah, no I did not realize that.

> Additionally countries that are part of the 5 eyes, 9 eyes or 15 eyes, see picture at the top of the article, are out, too.

That makes a lot more sense for excluding countries. They still made a bit of a leap with saying all of the EU is bad, we're more than 15 countries, but let's presume the 'eyes' countries cover the remaining TLDs that had this local court thing and that explains the author's selection.

That is, if local court is the only standard you want to go by. Another thing the article leaves as an exercise for the reader is whether any of those arbitration places have favorable rules compared to even the courts of Iceland for all I know.

That paper is a good read. It’s really disappointing that ICANN allowed the ngTLDs to engage in back room deals with the media and pharmaceutical industries. I think there was an effort to bring the ogTLD agreements inline with the ngTLD agreements, so I wonder if they’ve set it up so the ogTLDs can start doing the same.

ogTLD and ngTLD aren’t real names afaik. I use them for the original gTLDs and the new gTLDs.

ah, I was reading them as original gangster TLD and next generation TLD
(comment deleted)
This paper only includes a limited subset of TLDs. Many countries are missing, especially micronations could be interesting from this aspect.
Its even missing some EU member states.
This post makes me happy to own a .is domain , not that I was worried, but it's cool to accidentally have the bonus of what this post describes.
I hope one day, we will have some crypto blockchain gTLD that will resolve in the general DNS infrastructure. I know namecoin was a thing, but it never really picked up steam.

name -> IP address in a blockchain feels like one of the ideal use cases of it.

Maybe a premine started by a commercial entity would have enough financial backing to get started on it.

(comment deleted)
Check out Handshake: handshake.org - they even did a token drop to GitHub users with a certain amount of followers at the time of the snapshot
My worry about Blockchain gTLD is one disgruntled employee who has access to your setup could transfer your domain off, and there would be no legal or technical way to ever get it back. You would just have to change to a new domain.
Could it be mitigated by splitting the ownership between multiple people? So you would need N of M employees to approve a transfer?
Well if you are friends with the devs, perhaps they could create a fork that gives it back to you.
TLDs only controlled by local courts:

  Austria (.at)
  Germany (.de)
  Iceland (.is)
  Russia  (.ru)
Of these, the blog simply makes the claim that Iceland has the "strongest laws for individuals". Of those, I probably would have guessed that - germany doesn't have a great rep, and Russia...well.

So I don't necessarily disagree; but there is absolutely no justification actually given for elevating Iceland, and including that would seem to be half the value of the blog post.

.de is one of the largest ccTLDs in the world (used to be the largest not long ago), also very cheap, but it still has some 4 letter domains free (even 3, if you include digits)
Indeed. I was surprised to find my last name available as a numeronym, while the domain with my full last name has already been taken long ago.
(comment deleted)
Interesting that they don’t define free. I prefer my freedom of privacy over your freedom of expression, so which wins in a pithy contest?
freedom of speech also seeks to defend against compelled speech like private info
Explain how those clash for domains
Looks like there are no restrictions on nationality or language (like .cat).

I was unable to set up my domain with Cloudflare's name servers because you need to register the domain first and the registration process requires that the domain is served by the name servers you enter. I ended up selecting "parked" instead and should be able to switch it later.

Not sure how Iceland (.is) is outside EU laws, it's in the EEA, which I'm pretty sure means it's subject to (almost) all the EUs laws with little-to-no voting power or influence.
Also, Lugano convention (if I remember correctly).
Iceland also doesn't have its own military but does have US military bases and the US has promised to defend the country. This means that Iceland is dependant on a good relationship with the US and would act when requested.
> and would act when requested

Are you aware of any relevant precedent for this?

I think in general the US has tried to not be too overbearing with Iceland compared to other countries where the US has/had a military presence, but there's a few instances I can think of

The US leaned on Iceland really hard to reject China's invitation to the Belt and Road initiative (to the point where our politicians looked like complete jackasses), but I believe Iceland still hasn't joined in.

Going back way much further in history, the US also publicly pressured Iceland into desegregating Keflavik, after private negotiations didn't work out

Interesting. According to Wikipedia:

> The US government complied with an Icelandic government request not to station black soldiers on the US base in Keflavík, Iceland until the 1970s and 1980s when black soldiers began to be stationed in Iceland.

I'm very much surprised at that as well. Poor form from Iceland.
Having a bigger army always wins, and if Iceland is faced with ultimatums of losing such a sizable ally (the US) they'll do whatever they can, assuming they're worried about being invaded and conquered by a foe.
This always seems like such an important caveat that is rarely included in these lines of thought - Assuming they're worried about being invaded.

Thankfully, most countries are not in a position where they're even slightly concerned about a physical invasion. We have almost universally decided that invasion/conquest is a morally bad thing to engage in, so to my mind the continued effort to expand military forces implies an intention to break this agreed upon moral standing or at the least a lack of commitment to the stance.

There are allegedly 20 aircraft in the Irish Air Corps [1] and I sure hope we're in advanced enough stage of society that we're not solely reliant on those to protect ourselves!

[1] https://en.wikipedia.org/wiki/Irish_Air_Corps

My understanding is that the Irish Air Corps is so small because because the UK provides air defence.

https://en.wikipedia.org/wiki/Ireland%E2%80%93NATO_relations

In February 2015, two Russian Tupolev Tu-95 "Bear" nuclear-capable strategic bombers entered Irish-controlled airspace without permission, without forewarning, with their transponders switched off and failed to file flight plans, causing serious concern at the Irish Aviation Authority (IAA), which was forced to divert a number of civil passenger aircraft out of the path of the Russian bombers as a precautionary measure.[24] The Russian military aircraft were interrogated by RAF Eurofighter Typhoon jets scrambled from the United Kingdom, demonstrating the lack of an Irish military response and the reliance on the UK for the protection of Irish airspace.

...

The reports revealed that the Irish Department of Defence, Department of Foreign Affairs and Irish Aviation Authority entered into a bilateral agreement with the British RAF, Civil Aviation Authority, Ministry for Defence and Foreign and Commonwealth Office permitting the British military to conduct armed operations inside Irish sovereign or Irish-controlled airspace in the event of a real time or envisaged threat of an aerial terrorist-related attack on Ireland or on a neighbouring country.

Completely fair and accurate, but I think I didn't make my intention clear in my original post. I don't think the binding force of security is ever really militarily based. I don't think the only reason Irish airspace isn't inundated with threats is because of an agreement with the UK. I think internationally the overwhelming binding force of security is mutual agreement be it through trade arrangements, potential economic disruptions of being ostracized by the international community, etc etc.
I think all that fundamentally rests on the foundation of the raw military capacity of that "international community". Which, like most low-level implementation details, is something we only notice when it breaks.
Or take the red pill and go ENS (it now supports .com and btc addresses to name a few, not just .eth)
So if I type bankofamerica.com, does ENS respond with DNS controlled by whoever purchased it on the chain, or does it first lookup at verisign's root before going to ENS?
You can't purchase .com domains on ENS, only import them by providing a DNSSEC-based proof of ownership. This doesn't solve any of the problems with TLDs (ENS won't prevent the TLD operator from taking away your domain) so to get the benefits you have to use a ENS-centric domain like .eth
I thought the real red pill was Handshake (HNS).

You're not buying domains but instead are buying the TLD itself and then create domains on the TLD.

I haven't read up on it that much but their pitch of "stop renting the thing in front of the TLD, own the actual TLD" is pretty cool.

https://handshake.org/

https://www.namebase.io/

Yeah, that's what ENS is too. You're not actually registering .eth when you register an ENS. The .eth is intended to be one of many possible TLDs, with the only distinction that .eth is the default one when you first get it.

ENS has way more adoption and 3rd party support. I think it's our only hope of overthrowing the incumbents (existing centralized DNS system)

Can regular DNS records (A, AAAA) that resolve to an IP actually be used with ENS? And then are there browsers or browser plugins that support .eth as a TLD? As far as I can tell the ENS ecosystem only has IPFS (and wallet) address support. It's frustrating because ENS seems like the obvious answer for decentralized domains but I've never seen it used for anything but vanity names for ETH wallets and static IPFS sites.
gandi.net seems to charge $364/year for any .is domain. Namecheap charges around the same price as isnic.

Any reason why I shouldn't register the domain on isnic directly? Are there benefits to registering the domain via namecheap (or other registrar), apart from getting access to their support?

A big thing to consider with registrars is support for 2FA - can't speak to ISNIC, but I recently moved all my domains to Namecheap because they have first-class support for U2F/Webauthn. (And also Hover lost a domain on me but that's another story)
Gandi supports U2F as well.

And it's just something about a very aggressive marketing strategy like Hover's that doesn't give me a very secure feeling about their product.

Interesting... I have moved all my domains out of NameCheap for same reason - their "first class support" was just plainly terrible.

Mileage may vary I guess.

I was in the same situation. Moved away from NameCheap to Gandi.Net long ago due to this very thing. Hopefully things have improved for their users.
I have owned and managed my .is domain directly on ISNIC for over a decade. They support 2FA and the website is available in English as well.
Thanks! I registered directly on ISNIC.

Process was pretty straightforward and I was able to add my DNS records just fine. Do you know if they have any safeguards against domain transfers? I don't see any settings related to that, other than to transfer my domain.

I'd be more worried about a registrar messing with my domain than I would the ëyes".
To add another anecdote, I've had a .is domain from ISNIC for about 4-5 years now and have had no problems with them during that time.
I’m not sure what you would be using your website for to be worried about being taken down. But Iceland removed the khilafah.is islamic state site website several years ago.
As a Dutch person I have to point out that the name of my birth country is not "Holland" but "the Netherlands" (pars pro toto), and that the flag that is shown in the graphic is the flag of Luxembourg - but upside down. Thanks?
Why are all the TLD operated by the OpenNIC [1] project dismissed if .onion is included in the study?

[1] https://www.opennic.org/

I guess because you need a special DNS server for them with your default browser - onion is directly linked to TOR.
You're saying that modifying connection settings that will make something work with everything on your system is considered more complex than using custom software?

Also, OpenNIC TLD's are indeed TLDs, Tor's .onion is not really the same.

So, next step would be an iceland hoster. Any suggestions for icland only hosters / data centers?
What about other TLDs like .fun (libgen’s latest)? There are so many others now.
Where I'm not clear this analysis is thorough is the consideration that ICANN is a U.S. non-profit corporation incorporated in California.

If we are to go with the laws of the land, the 14th amendment states:

> No state shall...deny to any person within its jurisdiction the equal protection of the laws.

This means that ICANN, itself, is subject to all the laws of the jurisdiction of its location (municipal, county, state, and Federal).

If I understand ICANN's role correctly, they control the entire WWW (DNS, IP address assignment, infrastructure, etc.), so everyone on the WWW is subject to the ICANN jurisdictional limitations.

Am I missing something?