332 comments

[ 2.9 ms ] story [ 289 ms ] thread
Great. There's a Dutch bank called ING. I can't wait for all the phish.ing to start. IMHO all those new TLDs are just a huge mistake and a blatant money-grab.
They already got the bank.ing domain name.
but do they have fuckof\f.ing for submitting complaints?

Edit: HN doesn't accept FO as one word, it replaces the last `f` with `i`. Try it yourself.

Seems to work for me: Fuckoff fuckoff.ing
(comment deleted)
Is this just a trick to see how many people you can get to type 'fuckoff'? :-)
Let me test it again...

Edit: No I swear, when I typed fuckingoff.ing and post the comment it shows as fuckingofi.ing to me. I edited the post a dozen of times and it always displayed something else. I tested it even on two browsers!

  hunter2
I don't understand, it seems to work for me.
I am old. I forgot about this hunter2 password filter phish reference.
hunter2 is 20 years old next year, just to make everyone else feel old too
Huh. i actually thought it was older. I can remember a time before *******
And they use it to remind people that the .ing tld is a bad idea.
With this gem on their side:

> While bank.ing is managed by ING, please be aware that any other domain ending with .ing is not an ING website.

Sadly phish.ing is over $1000 / year.
But think of the return
Think of how funny it will be when you send out a social engineering training test email with that URL to your company and see who falls for it.

  https://we.are.totally.not.phish.ing/this-is-legit/link.php?really=just-click-it&fill-in=your-pii&submit=true
Wouldn't it be called fish.ing instead, so you'd trick users.
The real money is in spearfish.ing.
>> IMHO all those new TLDs are just a huge mistake and a blatant money-grab.

Especially with this one. There is no room for competition since each verb can only be used once with the ing suffix. Well, competition for who is willing to pay the most, but from the consumer side there can only be one URL.

i mean, if you can't get fuck.ing/cool, you can go with reallyfuck.ing/cool or getsurf.ing gosurf.ing learnsurf.ing or justhang.ing/out etc

I think I'm at my limit of dumb domain names for no reason though, so I'll pass on this round.

Reallyfuckingcool.net or .org available, same for getsurfing, learnsurfing and justhangingout. With all these domains there’s no real point unless you are getting a dictionary word or a specific name, imho.
Which just outlines how it is a money-grab for existing property owners. Yet another stupid vanity domain you're forced to add to your portfolio!
I wonder if we're at the point that the costs of registering a new TLD are immediately recouped from the set of large businesses that must register their name in every TLD?
I was thinking about this too. Some TLDs look like an obvious obligatory money grab (such as .download), so companies are compelled to buy it.

I have seen some TLDs owned by a company and didn't even bother to set a redirect.

My anecdote is that the ICANN annual fee ($25k) is easily covered by these obligatory registrations and the premium domains. The cost of running nameservers aren't that high. NS1 has an offering, but it's impossible to find their pricing for anything.

Mobile app is already first class citizen at ING in some EU countries. One is unable to make transactions or even is locked out completely from all online channels after losing access to their mobile app, or if their app simply stops responding on tapping the "Confirm" button. Web is merely second class citizen. No idea how they arrived to this retarded architectue. Submitting any kind of architectural feedback to a bank is hopeless and helpless, these fuckers always know better.
> No idea how they arrived to this retarded architecture

2FA is known to increase security drastically. It's easy to understand why it's a good idea.

EU banks in particular do this because 2FA for banks is mandated by a EU level directive.

> Submitting any kind of architectural feedback to a bank is hopeless and helpless, these fuckers always know better.

In this case they clearly do.

In at least one EU country the only available free of charge second factor of 2FA at ING is their FULL MOBILE BANKING APP. You're posting a comment at HN explaining that "mobile banking app is 2FA because security because EU", are you working there?
Hm, last time I tried 3 years ago paper mails were their only channel (after opening an account online). They were so past century. If they do anything with this TLD before improving their basic banking platform/UX it will only prove the point of how retarded they have been.
Ugh, when I saw the HN headline about this TLD I thought it belonged to ING Group, just like .barclays and .chase belong to their corporate owners. Just shows how suited this TLD is for phishing...
Don't they sell .zip TLDs now too?
Yes, they do, huge mistake

...but a lot of fun!

Explain why it’s a huge mistake, please.
I think the idea is ambiguity between a zip file from your coworkers website and an entirely separate phishing website which downloads an entirely different zip file with a malicious payload.

Anything that introduces unnecessary and previously unforseen ambiguity to the olds is just another path to filling the internet with scams

Browser vendors should just splash users with one of those click-through security warnings. Make it bright yellow.

I'd be very entertained by drama from owners of those domains, but in my opinion, such a thing would be completely justified.

Here’s the problem: the biggest browser vendor is the one selling the domains!
Well, we also have .com as a common extension on Windows machines?
A link reading attachment.zip is no longer a 'safe' file but a eg browser window.
I hate that mentioning example.zip now turns into a link in modern chat programs. At least link preview can be disabled... Also .py is annoying but that one I can understand more why it reasonably needs to exist.
I don't get it, and I'm sure some people fall for the scams, but .com has been a dangerous file format since before the internet became common and that hasn't been much of a problem either.

My guess is that it'll only be a matter of time before .png and .jpg will be TLDs.

If someone is allowed to make .xlsm a TLD I'm 100% quitting the internet.
If I were the lawyers at ING, I would be sending Google it cease-and-desist with regards to selling any domains with banking related terms. I actually think they would have a reasonably strong claim.
And grammar teachers would sue ING?
On what grounds? ING can sue on grounds of owning a trademark.
To be honest both cases are equally strong. Trademark by a bank, and English gerundial suffix. I want to see their lawyers knife fight in a ring while burning piles of cash, it would be an entertaining self resolving problem!
or maybe they'll buy a whole bunch of insult domains imveryunhappywith.ing dontuse.ing, yourmotherhasapreferenceformassagetoolsfrom.ing
It is, the reasoning along as to buy an .ing domain is laughable at best. it does nothing that a .com isn't already doing
I mean, strictly speaking, this argument could apply to any public suffix. Why not have every site be its own TLD in a single global namespace?
I can't wait for creditcard.ing, pinpas.ing, debitkarte.ing, cartededebit.ing, and all the others to be sent across the world.

Might as well pre-emptively add .ing to every phishing list out there.

Yeah but what are the AOL Keywords for these sites?
Nobody owns f**.ing yet?
It's still available, I checked. It just happen to cost 12.5k USD.
Just making expensive land out of the ether.
I don't really get godaddys pricing on these or what exactly they buy you. They're claiming this price is to preregister to maximize your chance to own it. There is a base rate of $19.99 per year but depending on what word you enter, it quotes up to $12k

Bang.ing = 12k; Smash.ing = 3k; Gni.ing = 100; Whyaresomecheaper.ing = 19.99

b.ing goes for 130k
Not included: lawyer fees to defend yourself against the inevitable lawsuit from MS when someone there realizes they need to own it.
The real price is >$1M, try to do the checkout.
Is that enough to create the TLD itself, let say .banging?
That's not too expensive for some "entrepreneurs" ;-) Especially in the long run it might be a good investment.
I don't quite get why Google are allowed to operate as TLD market these days.
> suisse.ing

Yeah, excellent.

For those who are unaware 'engineering' in Swiss German is "Ingenieurwissenschaften"
Is that an obvious association to the relavent audience? Mixing the French “suisse” with the German abbreviated “ing” is a little odd to my (french) eyes. Or is suisse also common in Swiss German?
IDK how representative I am but as a German "Suisse" is clearly referring to Switzerland (maybe because it's in some Swiss brand names, e.g. Credit Suisse?) and my two associations with "ing" are ING direct banking and industrial engineering (outside the Bachelor/Master system the degree title prefix for a professional engineer was/is commonly indicated as "Dipl. Ing.").

But I wouldn't overthink this. Someone likely pitched this as a clever marketing campaign to show "technological leadership" (the news section has an article dedicated to the site being one of the first .ing domains as if this is a meaningful technological achievement) and got funding for it. That doesn't mean the site will be there or be maintained a few years from now.

No, Suisse isn't common in Swiss German at all, except for the 'brand', e.g. same as Swiss.

suisse.ing is really weird though for someone like me who is from Switzerland and speaks German and English.

Given that French cantons don't speak German and German cantons would rather speak English than be caught speaking French, no, I doubt this linguistic concoction is obvious to either.

Might work in Fribourg, which is bilingual, but that's still a stretch.

Google went from allowing you to buy domains with one click to now showing you logos of companies you can buy them from, not even making them clickable
Interest(.ing)ly I could right click to open in new tab
I noticed the same thing! Leave it to one of the world's largest monopolies to botch such a basic call to action.
For me it works if I disable uBlock Origin.
The DNS is serious internet infrastructure, not your play toy.

The practice of selling TLDs to every two bit dotcom was a mistake and needs to end.

Domain registration is the most fascinating interaction between multiple outlooks. There's the true hacker spirit of DNS resolution as a technology. There's the lawful bureaucracy of ICANN shoe-horning the technology into a legal framework. Then there's the capitalism of registry "operators" who appear to exist almost solely to navigate ICANN.

It really feels like there ought to be a better system.

domains are almost as Lindy (a concept that explains the longevity of things like ideas or technology) as circuit switched telephone numbers. We're not going to shake the concept away for a very long time.

https://en.wikipedia.org/wiki/Lindy_effect

https://en.wikipedia.org/wiki/Telephone_number

AOL almost did it.

But a domain is now a virtual signal. Most adverts are "search X" or advertising online already so there is a link. There are plenty of cool non-english but pronounceable words out there you can .com let alone cute things .so, .be, .co, .io, .ai, .gg, .dev, etc.

This is kind of what I mean. You're talking about the DNS part alone here. I can encourage all of my friends to pass `/etc/hosts` around, just like those in Stanford originally did with HOSTS.txt, and I have domains.
But ICANN makes a lot of money off of it, and isn't that the important thing?
The mistake was to let Postel mismanage DNS pretty much alone without any significant oversight or defined policies, that set the groundwork for dns to be free for all wild west of which the current situation is just natural consequence
laying the blaming on a dead guy, classy.
I have no idea if that person should take blame, but is your opinion that the actions of the dead, no matter the circumstances, are beyond criticism?
(comment deleted)
Whats the problem? Are TLDs running out?
I believe the main problem is lack of competition.

When a customer registers geographical domains, or old school domains like com / net, they can migrate to any other registrar they wish. This option guarantees reasonable prices for customers, even in the very long run.

When a customer registers their domain under TLDs like hot / deals / express they can’t move away unless they’re fine losing their domain name as the result. Most of these TLDs are owned by for-profit companies. IMO, this lack of competition pretty much guarantees the prices will eventually go way higher to extract more profit for these companies.

A while ago, people faced a similar problem with mobile telephone numbers. Many countries have solved the issue with legal measures, they force mobile operators to allow users to migrate to competing operators while keeping their old phone number. Until we have laws forcing internet domain names portability (similar to phone numbers portability), I personally plan to stay away from these new top-level domains.

You are confusing registry and registrar.

Google Registry (https://get.ing) to .ing is what Verisign is to .com, and you can both register them on GoDaddy and transfer them to Gandi.

So as I understand, they sold the Google domain business to Squarespace but will keep Google Registry with all its questioning new TLDs like .zip.
there's a clear (to the general public, it's absolutely not at all clear) separation of concerns between registries, registrars, and registrants.

Google Domains was a registrar.

the Registry itself has some arcane and obfuscated corporate name that was something entirely different from Google LLC (Charleston Road Registry Inc)

> the Registry itself has some arcane and obfuscated corporate name that was something entirely different from Google LLC (Charleston Road Registry Inc)

That's interesting, more interesting is that Google created this Inc to workaround ICANN requirements

"Charleston Road Registry (CRR), also known as Google Registry, is a wholly-owned subsidiary of Google. Because ICANN requires that registrars and registries remain separate entities, and Google is an ICANN-accredited registrar, CRR exists as a separate company from Google. We offer equivalent terms to all registrars in terms of pricing, awarding domains, or any other domain operations; we'll partner with any ICANN-accredited registrars that are interested in our domains and meet any additional criteria that we set for a TLD." [1]

[1] https://www.registry.google/faqs/

This is pretty common, as far as I understand. Many registries will run their own registrar, but I don’t believe they can give any special anything for their registrars compared to other registrars.
.me in particular is moving to square space, and Google shut off all of my automatic renews because of it, wreaking havoc when a few of them expired recently.

Just as a heads up.

I get the idea sometimes that the "concept" of a TLD is being destroyed. Whether that be intentionally or unintentionally, I get the hints that we're headed toward AOL keywords all over again.
The "concept" of tlds was already pretty much destroyed with .com boom. Even in late 90s there was basically no true organization or hierarchy on the top level, .com/.org/.net etc were all free for all and most cctlds did not establish any 2nd level domains either (uk being prominent counter-example)
The only hierarchy that really exists and makes sense is the ccTLDs, but only some of them. .de, .cn, .fr, .uk, etc., these are mostly registered by people and businesses within the actual country and used within the country as well. But there's so many other ccTLDs like .us, .io, .ai, .ly, .me, .co, etc., where they're functionally just two-letter generic TLDs, and the hierarchy doesn't work for them.
They're adding ".mov" too. Freaking amazing from a threat actor's point of view.
I am genuinely surprised that ICANN allowed .zip and now .mov. That was a very serious failing of their job. dot .. local? or something? was another huge miss on their part.
(comment deleted)
Is b.ing already taken? If not, buy it ASAP!
Where does this land legally now? Could Microsoft go to ICANN and demand you hand it over for the registration fee or is it first come first serve?
Yes, they can demand you hand it over and you will hand it over.
Do they have to pay you for it?
Even if Brad Ing bought the domain to host his personal blog?
You may want to read up on the story of Uzi Nissan.
That's insane to me.

Edit: I kind of get it with .com domains, but all TLDs?

Pretty much. It is a trademark and holders have to defend against infringements if they want to keep it.

You might win in court/arbitration if you have a legitimate reason for owning the domain, but you're going to need deep pockets to pull it off and be willing to put up with the harassment of a company that has infinity money and wants to crush you for sport.

Uzi Nissan didn't hand over his domain.
Yes, because he literally has the word Nissan as his last name.
MS would do the same thing they already did with wwwbing.com and binf.com: go through the arbitration process to get them repossessed.
Did everyone forget about the Mike Rowe Soft ordeal? 17 year old Mike Rowe started his own web company and named it MikeRoweSoft.com (on purpose, he knew he was making a pun.)

https://en.wikipedia.org/wiki/Microsoft_v._MikeRoweSoft

For a teen it shows some balls. But he basically would have would have gotten trouble in most jurisdictions with this name.

You could not run an auction site as ibay.com

But you could still use the string in another context. e.g. eBayern

(Bayern=Bavaria)

> Microsoft declined the offer and sent a cease and desist letter spanning 25 pages

This sentence alone increases my adrenaline level. The brainless arrogance of a pack of overpaid lawyers.

Just wait until Microsoft introduces the .oogle top-level domain!
For the incredible and low price of 130K.
You can still grab bl.ing for the promo price of $3,899! (11/1/23 ~3pm ET GoDaddy quote)
nice, going to open a lot of doors

imagine someone automates buying all the verbs(?)

Our new service, automat.ing lets you do just that!
It's exactly what Google want you to do. They made majority verbs prohibitevely expensive premium domains to take their cut.
Which is extra dumb because people won't recognize danc.ing as a legitimate domain and the owners are going to have to pay up for dancing.com or end up with a cheaper alternative called like thedancingapp.com.
Google registry indicates Namecheap is a preferred partner and supports .ing: https://www.registry.google/register-a-domain/

Yet when I go to Namecheap and attempt to register a .ing, it tells me "unsupported TLD." Which is it?

It seems domains are in a "pre-registration" period, of which only some subset of registrars seem to be supported at this time.
Namecheap isn't supporting the Early Access Program, so if you want to buy through them you'd have to wait until General Availability in December (and hope no one else got the name first through a different registrar that is doing EAP).
Can't I wait to buy these with domains.google!
someone cool snap up spider.ing and use it for something that helps democratize the search engine market
I feel like I should buy

Alloftheth.ing/s

And have it point to my pile of novelty domains which I bought for side projects that I've yet to start.

But I feel like whoever owns th.ing should make it a glorified wiki site for Thing from the Addams family

I run `thatwas.notverycash.money/ofyou/` and can tell you without a doubt that this is a great idea that is not at all necessary to act on. You'll get a couple laughs and then it's just a $15/year fee for the domain lingering over your head and credit card.
So Google sold Google Domains but continues to dabble in buying weird new TLDs? Masterful.
Nobody is actually doing anything interesting with these. It all seems to be marketing landing pages intended to direct you to the real URL.
Turns out companies don't want to abandon whatever perfectly good domain they've already been using for decades just so they can have a funny TLD, who would've thought. Only new brands can really benefit from it.
You mean the new brands/companies that don't already have billions of dollars in revenue and can't afford to buy them? Cool, cool.
(comment deleted)
> Nobody is actually doing anything interesting with these.

Now wait a second, that's not at all true. In my experience there are armies of people who use them to launch targeted phishing attacks at my business if they buy the goddamn thing before I do.

At a certain point if you are lucky enough to have a business that's worth targeting, every new gTLD is just another fuck.ing security expense.

Is phish.ing available?

Most phishing I've encountered comes from .com, in my experience. Everything but ccTLDs seems to be listed in some kind of spam filter (I tried to email from a personal .xyz domain for a while, it just doesn't work). .ru is also quite popular for some reason, but that seems to be mostly untargeted phishing attemps. Most shit comes from legitimate(-looking) gmail.coms and outlook.coms.

I have a feeling people trust .com and .net more than they trust .zip and .mov. Without .com, the URL just looks weird to some people.

I can see why you dislike new TLDs if you're trying to protect your company, but you'll always have that problem. It's not like you're going to transfer money to the Taliban to register yourcompany.af, but criminals don't care, the money they transfer is probably stolen anyway.

One exception is the fact that there's an international bank called "ING". They've already registered bank.ing but I don't think they can come close to claiming all possible phishing attempts for their customer base.

While what you say is completely true, unfortunately how I do my own security has very little to do with how my customers do their security. I see ccTLD and gTLD used in spearphishing and domain impersonation attacks on a frequent enough basis that I have form letters for the abuse reports. Start collecting some backscatter with a DMARC policy and you might be surprised at what you discover.
Modern TLDs are used in various smaller services. squoosh.app comes to mind for something I use. The Fediverse is also full of alternative TLDs: lots of .social, .chat, .lol, .place, and .world in the instance list. .com has been exhausted for a while, if you don't want to buy your new domain from a squatter you'll probably need to go through thisworddoesnotexist.com or register domains that look like .onion URLs.

If squatters and registrars weren't so shite, I could absolutely see a new service with a name like "share.zip" or "you.mov" taking off. call.ing seems like a perfect domain for a video chat service. Too bad these domains cost several thousands of dollars (as a starting price).

Too bad any domain with fewer than five letters has been registered by the companies selling these domains the moment the TLDs came out.

Domains aren't used by multi million dollar companies, but plenty of blogs and other independent servers using the alt-TLDs.

Register.ing sunsett.ing and redirect.ing it to google.com.
Great, another goldmine "discovered" by Google. They'll make loads of money out of thin air and in the meantime allow people to create some confus.ing and phish.ing web sites (sorry for the pun :-))
I've reached generic TLD fatigue. There's a new one each week. I regularly buy domains with OVH since they have a wide array of TLDs at a good price[0]. Over the years I let many of them expire because either 1) I let my dreams die, or 2) I couldn't afford to renew it. Mostly it's because I let my dreams die, not financial shortcomings though.

[0] https://www.ovhcloud.com/en/domains/tld/

Domain squatting is not what it used to be... unless it's max 5 characters in total, simply let it go.
That's a very succint way of putting it. Exotic TLDs are completely unecessary to deliver content. The more that exist, the harder it is to remember them, which is counter to the entire point of DNS.
The more often they’re used, the more likely someone will be able to own <noun>.<noun> or <verb>.<noun> or whatever, rather than “catching 3-4 letter thing you can say alloud” + “current trend of website name hacking” + “current cc tld used in current trend”.

E.g. “Bit.ly”, “Tindr”, and so on.

(comment deleted)
I think Cloudflare beats the price for most regular TLD. Nothing else comes close.
Several registrars are already selling general availability pre-orders. Does anyone know how this works? I have a feeling that, when the general availability period begins, if multiple people pre-ordered the same one, all but one of them are going to get screwed. Do they at least refund you?
Yes and yes.

If you really want a name badly, pony up more to get it sooner and beat out those other people.

It is just pre-order, expensive and worth nothing in the end as the good ones will get more bids.