Tell HN: Cloudflare prevents transfer-out of domains, sets to 'pendingdelete'
However, the worst part of this fiasco, was that this thread shed light on a far more terrifying issue regarding CloudFlare. The problem is that allegedly when they terminate your account you are unable to transfer-out your domain names. Allegedly, and perhaps far more insidiously, CloudFlare sets them to “pendingdelete” status. Meaning not only can you not transfer out your domain to another registrar, but the domain will expire after a short period of time and can therefore be sniped by an unscrupulous third party.
This post is a warning to the community: DO NOT transfer any domain name to CloudFlare that is valuable or important to you. Because at any time, your account can be terminated for no reason (“false positives”) and you will not be able to transfer your domain to another registrar. You will probably be unable to get them to reinstate your account so that you can transfer-out your domain through the normal support channels because they totally stonewall you("The suspension is permanent and we will not be making changes on our end."). You would either need take them to court to get your domain name(but by then your domain may already be permanently deleted/expired or sniped by a 3rd party) -OR- make a big stink on HN in order to summon someone with actual authority in the company who can remedy the situation.
Relevant thread: https://news.ycombinator.com/item?id=31573854
101 comments
[ 3.2 ms ] story [ 180 ms ] thread"All ICANN-accredited registrars are required to allow registrants to transfer domain names to another registrar."
Now as the registrant you have right to redeem the domain so you could recover via that route. So the domain CAN be saved.
You may not have even originally agreed to said terms, and they were shoved at you in an update which you "can opt out of" by discontinuing your service.
Or snapped by Cloudflare themselves.
> Cloudflare may, at its discretion, elect to assume the registration and may hold it in its own account, delete it, or sell it to a third party. [1]
[1] https://www.cloudflare.com/domain-registration-agreement/
I imagine those steps are something they hope to only ever invoke on clearly illegal enterprises.
They have some separate terms that allow similar things, in specified categories of abuse and related stuff.
> In the event that Registrant fails to renew the domain name in a timely fashion, the registration will expire and Cloudflare may, at its discretion, elect to assume the registration and may hold it in its own account, delete it, or sell it to a third party.
I mention this because without that context it looks even worse.
If they alter the domain status to pendingdelete, as stated by the OP, the domain is de facto expired.
And the same Domain Registration Agreement gives them the unlimited right, at their sole discretion, to modify the registration of a domain for a number of reasons, for which it seems you have no other recourse than hoping to be on the frontpage of HN even if such decisions were unfounded.
I mean, I trust the company, and have complete faith in the quality of the products; It’s just a bad idea to depend on company resources for anything in your personal life.
I moved several valued domains to Cloudflare registrar precisely because I assumed that they'd be better in "rare but extremely unpleasant" domain-loss scenarios, such as account takeover (by a third party) or account suspension/termination (by them).
Contrast with Google domains, where I could never shake a worry that uploading the wrong music in a private YouTube clip could one day randomly cascade to my whole domains account being closed without recourse..
Their support basically ignored any evidence to the contrary and let my domains expire and be sniped by other buyers.
EDIT: my motivation here is to tell you honestly what would strengthen your case. There is no upside for me in this conversation. I'm not affiliated with namecheap or any other registrar, and am merely offering my perspective: as a happy customer, I can be moved by other people's bad experiences, but they must be well documented. If you don't like hearing that, then ignore it.
To be fair I'd stay away from Cloudflare as well
It turned out that they are mostly a Ukrainian company, and when the war started the CEO decided to terminate “services to users registered in Russia” with only four work days notice.
I don’t know if any customer account was actually suspended. I also don’t know what “registered in Russia” means, is it nationality, residency, billing address, customer’s IP address or the A record. Some EU clients also received this letter.
I can relate emotionally. But this way to address existing customers, which have paid for their services, is whimsy and unprofessional. I also think that discrimination based on region or nationality is unnecessary broad. It certainly didn’t stop Putin.
Just to be clear, I believe Ukraine needs and deserves all kind of support to win this war.
- https://news.ycombinator.com/item?id=30506581
- https://news.ycombinator.com/item?id=31577019
https://porkbun.com
When I transfered in some domains I had some questions about their UI so I gave them a ring, and immediately I was chatting with an extremely competent product engineer.
No phone system to navigate, no filtering through L1/L2 "support", no bullshit. I can't remember the last time I've had such a pleasant experience contacting support for a service.
> PASSWORD PROTECTION: Want extra protection on your domain when changing certain features or getting an authorization code? Within the Password Protection section in your domain Details area, you can set a password by selecting the toggle switch "ON." From there you can create a password that will be required to enter when managing certain aspects of the domain.
They also support security keys (WebAuthn) [2]. I’ve used them for 3-4 years and have no complaints. I don’t like the handshake stuff, but you can’t blame them for wanting in on that windfall.
1. https://kb.porkbun.com/article/175-domain-details-area-expla...
2. https://kb.porkbun.com/article/119-how-to-secure-your-accoun...
A very no-BS experience.
Anyone who trusts them with a domain better hope for a slow news day on hn when you get flagged by mistake.
Netflix learned that lesson.
It might be tempting to go along with the Zeitgeist but 2 years later, things will flip and you’re going to be caught in the crossfire.
Domain ownership/control is basicly the keys to the kingdom for most businesses and cloudflare should recognize that responsibility and fucking shape up.
Stop treating your registrar like its some side piece product you can use to lock people into your services.
This is why it's an enormous red flag when I see anyone doing customer service in the HN comments. You may as well have a neon sign that says "we only give a shit about the customers who can make trouble for us". When I see a founder fixing someone's problem I can be dead certain that when I become the one with the problem I am SOL.
Have you ever called one of those big webhost with 24/7 support (GoDaddy, NameCheap, ScammyxyzabcdefghijkHost.com)?
Their support will have that poor soul on a call for 8 hours and then upsold to 50 business services they didn't need where they were "freaked out" into buying.
Cloudflare is trying to liberate domains (or at least technical folk) from all of that nonsense as an at-cost provider. You are not SOL with buying your domain at Cloudflare or using their services.
If someone reports a bug or asks a question, whether that be on my forum, my discord, my subreddit, some rando bbs, or HN, I try to jump in and resolve their concern.
Not all companies are twirling their mustaches and cackle nefariously. I just want happy users.
I don't have any affiliation with them, just a happy customer for several years now
This isn't an action which a registrar is generally able to perform.
Domains naturally transition to the pending delete status at the end of the redemption grace period (i.e. 1 to 2 months after the domain expires, and at least one month after the domain stops resolving).
If I had to guess they kill an account and delete any of its domains, which is absolutely the wrong way to go about handling that. The domain is already registered so you move it to a holding an account for further resolution. just because you terminated an account you shouldn’t be deleting a domain.
https://datatracker.ietf.org/doc/html/rfc2832#section-4.3.3
https://datatracker.ietf.org/doc/html/rfc5731#section-3.2.2
A registrant then has 30-44 days (depending on the registrar) to “renew” but in fact the domain has already renewed so in what happens is the registrar deletes the domain in the case where they don’t have that affirmative action.
All I can say is read the rfc or take my word for it, I’ve run a registrar.
I know actually engaging with fraudsters is probably a huge time sink, but... I think that probably should just be the cost of doing business. It's definitely not acceptable to delete domain registrations of suspected fraudsters. With no warning.
I have important personal domains hosted with CF's registrar. I'm now wondering if I need a fallback plan.
I hope that @jgc is reading these threads and giving them some attention.
I’m the Head of Trust & Safety at Cloudflare. I wanted to clarify our processes, which were described inaccurately in this Hacker News post.
As part of our standard fraud review process, domains determined to be malicious registrations/transfers may be deleted. In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate. Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity. Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.
The problem here is the entire process is opaque. Obviously your process can have false positives, so why should anyone trust the "standard industry practice" is being followed for domain deletion? Plus, IMHO "standard industry practice" is a term that gets dragged out to describe subjective policies and measures that can't be quantified or explained easily.
> In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate.
The thing that's problematic here is "typically". Maybe that's just wording to indicate that it's not always possible, but you always make an attempt (?). If so, say that. For me, the frustrating part is that I don't know the rules, so I can't adequately evaluate the risk of being banned. I can't have a contingency plan either because there are no guarantees. If the OP's story is even close to accurate, I think it's safe to say anything can get you banned due to a false positive and that scares me.
Even if you feel like you can't make the detection systems transparent, which I can understand, it would make a big difference if people could understand what the process is after an account is flagged. Why should I invest in development that targets Cloudflare's platform if I can be banned on a whim without any communication? Why doesn't my side of the deal get any guarantees?
I don't agree with instant blocking of any accounts, even the free ones, but I can understand the free accounts likely create challenges I can't even begin to hypothesize about.
That said, I don't think you're seeing the other side when it comes to instant blocking of services. I've dealt in the small business space a lot and the difficulty there is that a tiny, low priority issue for you, like blocking a small account, can be hugely detrimental to a small business. I've dealt with some small family run businesses where they own short domains that would be instantly squatted on upon deletion and the cost of recovering them would be significant in relation to their annual income.
Personally, I'd like to have some clear rules and guarantees surrounding account termination. Let me set one or more emergency contacts for my account and give me a clear timeline for attempts to reach out to those contacts before taking action on my account. And I'm not talking about some legalese buried on page 20 of the ToS. Put it in the control panel next to my contacts. If you can't give me any guarantees on a free account, that's fine, just say so up front and tell me what I need to do or pay to get to the point where my service won't be terminated by a robot.
I was really, really disappointed to see the OPs situation because I totally bought the mantra of Cloudflare wanting to make the internet a better place and I don't think you're doing that by being another "also ran" in the context of treating your users like they're disposable. Maybe I was just being naïve and overly optimistic because big tech treats everyone so badly that I wanted to believe there was truly someone out their trying to be on the side of the average user / developer.
The most disappointing part is that I think Cloudflare's strategy of targeting underserved markets has the potential to pay off more than people realize. I tried out Pages/Functions with a SvelteKit project (+ adapter) a while ago and it's the first time in years that I've actually been excited about something technology related because I can see the potential it has to give small developers a platform to capture the low end of underserved markets without having to worry about massive cost overruns or the complexity ...
>domains determined to be malicious registrations/transfers may be deleted
The person in the story's domain was determined to be malicious and deleted for fraud. (however in reality it wasn't) and thus deleted, like you said.
>Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity.
This is what the OP post described has happened in the story. The person's domain was determined fraudulent and was thus disallowed from transfering out, like you said.
>Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.
The fact is, a serious mistake was made by Cloudflare and evidently the guy had no way to appeal the decision outside of Hacker News. It is clear that this industry practice needs reform. Perhaps instead of trying to dismiss/downplay this your time would be better spent improving the process or maybe implementing some form of due process/trial for these extremely important accounts. An accidental domain deletion seems to be no big deal to you. But in reality its a nightmare that can cause serious harm to a persons life and livelihood.
Try to imagine it yourself how it would feel. if one day all your important accounts stopped working. all your domains has been hijacked! Why? because your registrar set it to DELETED on short notice due to random false-positive-fraud and a sniper re-registers it elsewhere! there is nothing you can do about it, your registrar stonewalls you. You're completely screwed and theres nothing you can do about it. Your valuable domain is gone. All your important accounts tied to email on that domain get broken into. Your companies and brand are destroyed. No one ever suspects their properly secured domain name will randomly be DELETED in < than the time it was registered for. This is a really traumatic event for people and not something that should be minimized.
However, regarding the core issue (a false positive on the fraud detection can get my domain both deleted and blocked from transfers) the post and your reply seem to be in agreement. (And the "typically take steps..." makes me wonder whether there are cases where you don't even notify the account holder, aside from court orders.)
I get that dealing with fraud at scale is hard, but this (especially the lack of a "why this won't happen again") does not exactly reassure me.