The implication that gTLDs are bad and new ones shouldn't be introduced because of this is a bit silly to me. The argument that they somehow have lower registration requirements makes no sense, .shop .top and .xyz registrations involve the exact same amount of verification as .com (none). Prices aren't really that different and plenty of gTLDs are more expensive than traditional ones.
Registering a domain is frustrating these days, too many already taken and a lot of them by squatters not even intending to use it. I'd love to see more options personally even if it makes it slightly easier to create a phishing domain. We need better tools than memorizing a domain name to deal with that anyways.
I think the issue is you can register a known company name on one of these and plenty of people will think it's legit. Companies have to register on all these random domain to protect themselves.
dell.shop, that's probably the dell computer I know, right?
When a scam hits someone's inbox or text message, it finds them in a particular time in their life, in a particular state of mind, and in a particular context. It's not just about how gullible or uninformed or whatever they are. They may be tired, they may be drunk, they may be spending all their energy worrying about a sick relative, or trying not to.
They may have just been shopping for a computer, maybe even a dell. Or maybe they need a computer for their kid and don't have the means to afford one and are more likely to fall for a scam advertising a good deal on a computer than for any other scam.
These all add to the probability that someone falls for a scam. Phishing is all about casting a wide enough net that the probabilities align against some of the people you hit at the time you hit them.
Victims are not just uninformed. They are also compromised, and/or incentivized to believe this particular scam, and/or unlucky enough that the scam takes place when they were recently engaged in activity that makes the scam more believable.
Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general. The eye sees dell first in clear letters for both urls. Their sick relative doesn’t change much here. I would honestly not be sure if either is a scam for the url alone. The improbable deal at the other end is the only meaningful signal.
> Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general.
It isn't. People fall because probabilities align. Something can catch their eye to knock them out of it.
A bad URL is a bad probability (for the scammer) in the chain, a really good URL is another good probability. If your assessment is that both URLs look equally good/bad to you, I, of course, won't deny that claim about your own experience. But to my eye, dell.computershop.com looks pretty bad and dell.shop looks pretty good.
I only answer my phone if I'm in the middle of getting a loan and so expecting a call from some unknown number at any time, and even then some numbers look too phishy to answer. The last time I got a loan I got a call from a local area code near the bank, answered, and found myself talking to a scammer about a loan. It was confusing, I believed it was the bank at first! Everything needed to align for them to get that far, including the phone number looking legit to my eyes. To someone else's eyes a number halfway across the country may have looked just as legit. Or the nearby number may have looked instantly bogus. This is exactly my point!
Just the fact that you had your credit report pulled for a loan qualification is immediately sold to ad brokers by the credit bureaus, who will sell it on down the line to less and less scrupulous buyers. It's not surprising to me at all that you got a scam call about a loan while you were in the process of legitmately applying for a loan.
I now ask businesses like these "what number will you call me from" and I put that in my phone as a contact, so that my phone will ring. If they call me from any other number I won't see the call.
Remember that Google was (is?) trying to remove the URL bar. Not just because it reinforces search as the main product and gateway to the web, but also because URLs are kind of hard for most people.
Which brings us to the original argument: is this a reason to ban gTLDs? Surely the cost of banning gTLDs outweighs the enormous benefits of making it easy for society's productive users to find names they like.
We also shouldn't discount the incredible benefit of having additional namespaces and markets positioned against domain name squatters. gTLDs linearly increase the costs to squatters. Good names can be found with lots of alternative gTLD offerings, which greatly increases the supply side for builders and entrepreneurs.
Ultimately gTLDs probably won't be banned simply because there's money to be made by the ICANN and registrars.
And then there are plenty of companies who put some legitimate part of their business on a wonky gtld domain they only bought so that it's not bought by a scammer. Systems run by the investor relations department might run on examplecompany.biz, some hiring SAAS on examplecompany.work, the CRM on examplecompany.business and the tech support occasionally instructs someone to get a preview update from examplecompany.cc. Not because that's a smart thing to do, but because coordinating namespaces is not easy and dedicating an otherwise unused domain only bought to keep out the scammers is a tempting shortcut. And because training internet users that sometimes wonky TLD are ok is an externality.
> Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
I see this and raise you HP using domains like h30434.www3.hp.com for decades now. They only started to disappear fairly recently. Many companies will do it and people don't really care.
It would be nice if browsers surfaced the information about when you last visited a site. In the certificate information panel for Firefox you can find things like, "You visited this site 1067 times before" which is helpful information when evaluating if you're on the site you think you're on.
They're different. Companies register all kinds of crazy domains and redirect you through them all the time. Why is it crazy that some marketing person at Dell thought it would be cool to link people to 'dell dot shop'? I would check the certificates, but honestly only as a precaution. If the website looks correct that isn't such an insane thing.
That is exactly why it's so dangerous and effective versus your example.
What good does that do? It is pretty rare for companies to get an EV or OV certificate, since it is more expensive and more hassle than a DV cert, and even when they do, the name on the cert isn't always what you expect since it might be the name of the owning company, not the brand you are familiar with.
Whois on DNS isn't always reliable either, since it often just points to another company that provides a dns service (such as AWS).
> Companies register all kinds of crazy domains and redirect you through them all the time
That's the real problem with domain trust these days. Companies go out of their way to make sure you know to only visit official links, and then do stupid stuff like buying vanity domains for one-time deals, or make you click through mailchimp tracking URLs because marketing tracking is more important than your customers falling for phishing. Those vanity domains then end up expiring, and now emails and web links that used to go to an official $brand server are all ready to be swooped up by scammers. Customers never stood a chance.
This isn't a TLD problem. It's a shitty company problem.
I wholeheartedly agree. Subdomains exist for a reason. Vanity domains are so incredibly sloppy and unserious.
Another issue is that they can make password management more of a chore. Every time I need to look up my Microsoft login, I have to remember to actually look up “live.com”. Except sometimes the login page is served from “microsoft.com”. Oops, you forgot your password and reset it; now your password for the other domain is out of date. Utterly ridiculous behavior from a company of their stature.
This made me think I'd somehow not saved my MS password because it wouldn't show up if you searched "microsoft". I know you can combine them like the other comment mentioned but what an awful default experience.
What I meant was that you can not put any trust in the contents of DNS labels, they should be handled as opaque blob-like identifiers. The only meaningful thing you can do with domain name is to compare it's labels to some reference.
So no, I don't trust that I'm on HN because of I put any trust in the domain "news.ycombinator.com" signifying anything. I only trust that I'm on same HN that I was on yesterday because the domain matches exactly the reference value. But the domain name could be anything, as long as it is stable.
Maybe it would be better to say "there is no inherent trust on domains". I trust HN today because I was on HN yesterday, and the day before, and last year, and 10 years ago, etc., and it's always been trustworthy (so far as I know).
But if I saw a link tomorrow for hackernews.shop and I went there, I'd be very suspicious.
Have you seen the domains Microsoft uses? Half the time I am not sure if they are genuine or not, it's actually crazy. Sometimes they use .com, other times .ms. Sometimes Microsoft is in the top-level other times it's in the second-level. Sometimes they have no subdomain, sometimes they have two. It's utterly inconsistent and it's insane to me how close some of them look to actual phishing domains...
If you get credits for Azure they're accessed through microsoftazuresponsorships.com. Why not sponsorships.azure.microsoft.com or something like that? I checked it three times when I got the link, because it's exactly the kind of domain someone would use if they were going to steal your Azure credits.
Maybe, maybe not. [citation needed] But store.apple.com is perfectly legit, so what’s wrong with apple.shop[0]? Sure, you and I know that one is a subdomain and one is a TLD. How many random folks on the street in Des Moines know this? 15%? Less? “Say what? It matters which end the ‘shop’ part is on? Whose brilliant idea was that?”
[0] sigh Apparently nothing is wrong with it, as it redirects to apple.com. So much for that example; take in the spirit intended.
There aren't "people who fall for phishing" and "people who don't", generally speaking. I know highly intelligent and talented people, well educated in general online security, who have fallen for phishing links and scams.
It's certainly possible to strongly protect yourself though, vs casually relying on intuition which is hopeless. You just need to establish a process or set of rules to follow. Businesses do this all the time. A classic scam is sending an invoice asking for payment, and some disorganized businesses will just pay you! But those with a process won't because you won't be able to give them a matching purchase order number and other things their process needs.
A basic personal protection is to not trust anyone who initiates contact with you, no matter who they say they are or what they know about you. Verify by contacting them independently instead.
Very true. My dad (late 60s) has written a DNS server, but still nearly fell for an email scam when he was sleep deprived and at the airport believing his flight was overbooked and he was going to be kicked.
I am unlikely to fall for either of them, but given compromising factors as mentioned by the other commenter, I am much less likely to fall for dell..com than dell.
Due to the widespread usage of 3+ common TLDs (com, org, net, etc.) and arbitrary third-level domains, people have been trained that the second-level domain is the one that matters. Now that gTLDs are more common I've needed to retrain my brain that the TLD is also a necessary heuristic for authenticating websites.
Even aside from that, you probably want to register your own .sucks and .rocks, which just means whoever operates that registry gets to make a bunch of money from companies squatting domains that nobody wanted and bring no value to the world.
That’s kinda the point. Scammers want to deal with the poorly informed, the gullible, the vulnerable. They concomitantly prefer that the wary and street-smart select themselves away. A marketing professional would recognise the effective segmentation going on, and every new TLD is an opportunity in that regard.
I do not think so. I think if someone would have made an effort to rip off the real Dell site I would fall for it. I am just so lucky that scammer mostly prefer to go after the easier marks.
I am not sure what a better solution could be. The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.
I do however still prefer more gTLDs to minimize domain squatting.
> The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.
The idea was bad.
Anybody can open the Dell Flower Shop. They can call their company Dell Inc. and register the domain dell.shop and they're not doing anything wrong, because they're in a different industry and nobody is going to confuse a tulip with a laptop. And then they could get an EV cert that says Dell Inc. -- because that's who they are.
Which is why EV certs are worthless. Just because it says Dell doesn't mean it's that Dell. There can be arbitrarily many companies with the same name in different industries or locations. But then what is the certificate supposed to tell you that gives you more information than the domain name? The average person is not going to know a company's registration ID with the relevant secretary of state, or generally even what state they're incorporated in.
Answers like this, that basically call the users idiots and abdicate any responsibility on the part of tech, are a losing long-term business proposition. Figure it out and gain loyalty and market share.
I'm doubtful that most non-technical people familiarize themselves with TLDs/domain names. They use a search provider for whatever they need. As far as emails/phishing goes, it's a game of cat and mouse; it will never be over. Basically, don't trust unprompted email links and just go to the site if it's something you really want.
I wonder if we could add some type of verification registry. It would be nice if browser's could have a big indicator saying that this website is verified to associated with Dell inc.
Some HTTP certificates do exactly that, and web browsers used to show the company/identity the certificate was issued to in the URL bar. Now you have to go to the certificates detail, very clear on Firefox, behind a few clicks on Chrome. Here's an example from a bank in Spain: https://www.bbva.es
That was EV certificates. They were finally removed from browsers completely around five years ago because they didn’t actually work. At all. The problems were largely social. Plenty has been written about it, you can find it by searching.
Well, the original HTTPS certificates too were supposed to work like that; I remember reading a security article criticizing the EV proposal by quoting the old (circa 1998?) policy statements of different CA's and showing that they're pretty much identical to the EV requirements.
Yep that's the issue, I'm just saying I'd rather have that problem than the one where I can't register a clean looking personal domain because every idea I have is already registered (with 95% of them leading to a parking page untouched for years except to pay the bill). Feels like we just need more names available and I don't see how else we could get them.
The implication that gTLDs are bad and new ones shouldn't be introduced because of this is a bit silly to me.
That wasn't what the article stated. The article stated that the problem is that the new TLDs are so cheap as to be disposable, and the registration requirements are lax. The combination makes them attractive to criminals.
It's literally the first sentence of the article:
"Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds."
The problem is the new gTLDs don't increase the useful supply of domains.
For casual usage like personal blogs and whatnot? Sure, use whatever.
But if I was starting a web-based business and couldn't afford the .com? I'd rename the company before I'd use .xyz - if your business takes off the squatters will notice and raise their prices, so the .com will never be cheaper.
If you got an "urgent e-mail" saying your employer needed you to confirm you're legally allowed to work, and they directed you to experianrtw.app - would you go there and send them a photo of your passport?
There are a few options, though. The fact that .io got so popular shows that we are not forever chained to .com. It's just that a lot of the nuTLD options are honestly hilariously bad, most of them are just lame. My personal top picks are ".online" and ".software" with mention to ".network" but they're all WAY too long. I actually use ".cafe" for my personal stuff because it's short and cute. Obviously can't use that for your SV rocketship company though.
Would it have been so hard to sit down and pick a couple short ones - yknow, ones people might actually use?
Unfortunately, .io is now also unsafe with the upcoming transfer away from the UK; another cautionary tale for those considering not getting a .com.
I’ve been seeding government and business forms with a .io email address for years (to counter gmail dominance), and I’m quite concerned about the situation now.
That's because it's a ccTLD, not because it's not dot-com though. The powers that be could very well decide to just promote it to be a gTLD if they wanted to not destroy stuff for no reason. Actual gTLDs aren't susceptible to the same kinds of issues.
Literally, these are arbitrary strings following arbitrary rules. It's time to ditch ICANN and develop a parallel DNS that makes sense for today not the 90s.
Yes they can. They did it before after the Soviet Union broke up and they kept the .su TLD. It's still active. I'd argue that keeping around .io is more important than keeping .su around, seeing how many people and businesses use .io domains.
The Soviet Union ceased to exist. As long as the British Indian Ocean Territory is not breaking up or otherwise dissolving, it still is allocated a ccTLD.
If I got an 'urgent email' I wouldn't go to any domain, I would contact my employer directly and confirm with them before doing anything. The people who would fall for this phishing scam would fall for almost any domain, because it's not about the domain.
Bad example. The requirements to register in .bank are quite rigorous (see https://register.bank/eligibility/). Phishers typically go for TLDs that impose far fewer requirements on their registrars.
The lions share of issues with domains would go away if we made squatting illegal, or at the least, extremely expensive.
Tbh I'm increasingly thinking that just about any speculative instrument in the economy is just grift and drag. If you want to make money, make things. Stop trying to extract rent or exorbitant prices for land, for domains, for PS5s, etc. Feels like 9/10ths of the economy now is nothing but fucking middlemen, when we have a dearth of need of ANY middlemen at all anymore.
>The lions share of issues with domains would go away if we made squatting illegal, or at the least, extremely expensive.
How do you define squatting? Is the owner of nissan.com "squatting" on it because he wouldn't sell to the japanese car company? How much interest do you need in a given domain before it's not squatting?
Then you're squatting. Like if you own turkeyonapig.com and it's literally just a web page with a picture of a turkey sitting on a pig? Not squatting. It's odd but it's clearly doing exactly what it's meant to be doing. If you own turkeyonapig.com and are doing nothing but advertising that fact, and that someone can buy it? Squatting.
> Is the owner of nissan.com "squatting" on it because he wouldn't sell to the japanese car company?
I mean, it depends. One would argue that people going to nissan.com are clearly looking for the Japanese car company, so it's in the public's interest that that domain be sold to them. On the other hand, if someone owns it and is using to run a Nissan fan website? Well I suppose that's trickier, but that would also probably be better suited to something like nissanfans.com.
It's a tricky thing but not impossible to figure out.
>I would argue if you aren't doing some combination of: [...]
cloudflare offers free website hosting and email forwarding, so it's basically free for a squatter to check those boxes.
>I mean, it depends. One would argue that people going to nissan.com are clearly looking for the Japanese car company, so it's in the public's interest that that domain be sold to them.
So you basically want the Kelo v. City of New London decision to be applied to domains as well? You own "erictrump.com" but aren't the president-elect's son? Well tough luck because it's "in the public's interest" that president-elect's son gets it rather than you.
> cloudflare offers free website hosting and email forwarding, so it's basically free for a squatter to check those boxes.
Sure. But it still takes time, or as someone else suggested, a GPT query. Putting literally even the tiniest amount of work in front of squatting will reduce the amount of squatting.
> So you basically want the Kelo v. City of New London decision to be applied to domains as well? You own "erictrump.com" but aren't the president-elect's son? Well tough luck because it's "in the public's interest" that president-elect's son gets it rather than you.
I mean, it is. And putting the phrase in scare quotes isn't a counterpoint.
One could argue in fact that one of the multitude of reasons for the rise of platforms is that it's so hard to find anything on the actual internet, and part of that in turn can be blamed squarely on squatting.
You can boil it down to: are you offering it for sale? If yes, squatting. If not, early bird gets the worm. You should be able to own a domain name and not be required to do anything with it beyond paying the registrar to legitimize your ownership.
I really don't think eliminating domain squatters is some impossible task. you could probably just tax sales of domain names to death (90% sales tax on any resold domain names) to disincentivize it vs registration upkeep costs.
The problem goes way beyond domain squatting. You have a limited resource, say nissan.com, and you have several valid claimants. Who gets to decide what's fair? First past the post? Heaviest pocket book? Biggest stick? Popular acclaim? ...
Is not unique to domains, this is why the world is uts.
I don't intend to solve this problem entirely, just to displace this business model of squatting domains, which is a massive waste of domain space.
First past the post is "good enough" for me if the intrinsic value of the domain to you is greater than the domain registration fee of like 3-10 bucks a month.
There shouldn't be a major reselling market, that would be like if the majority of space in the yellow pages was just advertisements that said "your business ad here!"
The tax would be done by the registrar or ICANN or whatever (although throwing more money at them might increase corruption of their bureaucracy, oh well). You could burn the money for all I care.
If you get caught, the domain is blacklisted. Ownership transfer is public, so there is little incentive for buyers to go with this route.
And you think a domain squatter would be deterred by high pricing and not just point every single domain to a VPS with a „Hey guys buy my domains“ page? Or even just point them to any random IP, since DNS is one of the legitimate uses you named?
> a web page with a picture of a turkey sitting on a pig? Not squatting
GPT/Cursor will create that page for you in 5 min. I bet a NotSquattingAsAService startups will appear which will create the "not squatting" fake site for you for $2.
I mean, that's an improvement in my mind over millions of insipid "BUY THIS DOMAIN!" web pages. At the least the internet would be more interesting?
But also like, then you aren't advertising it for sale. So I'm wondering how many offers you're going to get to sell that domain, which is the point of squatting it.
That's not how most squatting pages are sold. They are registered for sale in places like NameCheap and you can see it directly when you search for domains.
NotSquattingAsAService startups will appear which will create the "not squatting" fake site for you for $2.
That's an improvement. Adding $2 to $5 to the cost of a squatted domain will start to dissuade people who squat on tens of thousands of domains, if they have to suddenly have to pay $20,000 to $50,000 for the not squatting service.
>That's an improvement. Adding $2 to $5 to the cost of a squatted domain will start to dissuade people who squat on tens of thousands of domains
There's no way static site hosting and a email service costs $2-$5 per year per domain, especially for bulk users. Even if we take that price at face value, a .com domain already costs around $10/year. A 20%-50% increase will only change behavior at the margins. It won't make chat.com magically become available, and at best will make some D tier domains available. Ironically the introduction of gTLDs probably had the same effect. Squatting harrisonburgrealty.com is suddenly going to be less profitable when there's harrisonburg.{realty,realestate,realtor,homes,house,place,properties,rent,apartments} available as well.
To be clear, when I said make it cost more, I was thinking more like taxes. Similar to how we should be taxing vacant homes to raise the cost of keeping empty properties and lower the rents in turn.
It doesn't matter if you're just a dude or a corporation, you play by the same rules. There isn't anything to solve here. These problems are solved between those those 2 parties and no one else.
Good Lord. It's in the public's interest it remains this way.
Another person here had it right, companies have been playing with fire with their URL shenanigans. From one time TLDs to abusing tracking parameters. Not to mention browsers in their insane quest to strip useful information out off their UIs, making you CLICK to see who owns the place. Clown world really.
It's not a particularly hard problem. Most countries have rules on what you can use as a business name or register as a trademark. Domain names are just more of the same.
And you don't really own your domain. You are just renting it from whichever authority is responsible for the TLD. If you stop paying, the authority will eventually take it back.
And there are also businesses with identical names. But the basic idea was already established long before the internet. If you have a legitimate claim to a name, you have a legitimate claim to that name. There may be multiple entities with a legitimate claim to a particular name, in which case the first one that used it in a particular context gets to use it in that context. And if you think that someone is using a name you have claimed in a misleading way or acting in bad faith, you can sue them and let the courts decide.
The problem is that as you note, trademarks and company names are not unique, but domain names are required to be unique. So that n to 1 relationship between trademarks/names and domain names intrisically creates problem, how to allocate the domains when there are many equally legitimate pre-existing claimants. This is not solved problem the way you portray it, because domain names have this novel uniqueness requirement.
Of course this raises valid question if using names in this way at all is a good idea. For example telephone system and lots of banking stuff is based on simple numerical identifiers, and lots of countries have also some unique (numerical) identifiers for companies and persons. So there is fairly strong precedent for using assigned ids instead of names when uniqueness/specificity is required. But somehow we have jumped to the conclusion that for example IP addresses would be too confusing to average joe, and in attempt to hide them we have created even more confusing system.
Many countries already solved this problem with their ccTLDs decades ago. It only required taking the established practices and applying them to a new class of names. There are always some edge cases, but domain name assignment is pretty much a solved problem.
If you're starting a new company, squatters are not a real problem. Just pick another name. If your favorite name is so valuable that it's squatted, then it's valuable! The squatter was reserving it for you, the only company that could really make good use of it, instead of some random personal blogger who happened to walk in first and would wasted its high value.
Also, what's the difference between a squatter and a personal blogger?
That's certainly an issue. There have been a number of cases where companies have demanded that people hand over domain that they "where not using". Not using being defined as "does not have a website".
It feels like there should be some way of determining if a domain is actively being used, to combat squatters, but when ever someone tried to make a rule it ends up being something stupid, like not having a website.
Email is one of the easier services to detect; not only does SMTP specify that the server sends a greeting before authentication occurs, but there's also a bunch of DNS records just sitting there in full view. I'd say it's easier to detect real usage with email than with HTTP, because, to my knowledge, nobody runs an MTA just to say 'this domain is for sale' like they do on the Web!
gTLDs don't really solve the problem of running out of domain names any more than doing it yourself like myname-shop.com There are too many gTLDs for anyone to remember so they're really just an arbitrary extension on the 2nd/3rd level name.
The whole environment of the newer gTLDs just feels… gross. I rarely find a reputable business that is using anything but .com or .co.XX as the primary domain.
Putting on my regular-person hat: When I see a billboard or print ad with e.g. `example.travel`, I read that as a social media handle and not a website address like `example.com` would convey. In public perception, dot com means websites. Always has.
(Tangentially, the `.sucks` TLD in particular should never have been allowed. How many brands out there have to maintain a perfunctory registration there just to prevent somebody else from doing so?)
>(Tangentially, the `.sucks` TLD in particular should never have been allowed. How many brands out there have to maintain a perfunctory registration there just to prevent somebody else from doing so?)
The entire reason for allowing that TLD is a presumption that brands are not entitled to prevent the registration of domains which exists specifically to criticize them.
> When I see a billboard or print ad with e.g. `example.travel`, I read that as a social media handle and not a website address like `example.com` would convey.
This is where I think the new gTLDs registries could do better. Using your domain as a handle on Bluesky is a perfect example of something they could push for to grow the industry, but they seem to think the status quo with a sprinkle of price discrimination is the winning formula.
Most of the new gTLDs work great as domain verified social media handles, but no one is going to use them for that if all the good keywords are classified as premium with $100+ annual renewal fees. However, if you make them too cheap and they get popularized, domain investors will register everything good and try to flip them.
I think first year premium pricing strikes a good balance that doesn't limit novel, non revenue generating use cases too much. Charging $100-200 for the first year causes a very large increase in the amount of capital domain flippers need to invest to acquire a large portfolio of good names.
If Bluesky catches on I think we could hit a point where non-technical people are suddenly shocked when the see someone "using their social media handle for a website." Getting back to having people understand there's more than just Facebook and Twitter would be a step in the right direction IMO, so it would be nice to see Bluesky continue to gain popularity.
I never deal with co.xx to be honest. Most websites I visit are on ccTLDs. Whenever I see a .com link to any local business, I start out by assuming it's a scam website.
That said, .app has found plenty of adoption. Tech companies absolutely love .io and .ai is now also gaining popularity. The good American URLs have all been bought years ago so people flock to ccTLDs and gTLDs for new products and businesses. Even .engineering has a few interesting businesses on it these days.
As for .sucks, it's clearly a cash grab, but banning it hardly solves a problem. ycombinatorsucks.com is a lot cheaper than ycombinator.sucks, and if ycombinator pre-emptively buys ycombinatorsucks.com, you could just buy ycombinatorisshit.com or ycombinatorisadoodoohead.com.
.co.xx is common in Britain (.co.uk), Japan (.co.jp), New Zealand (.co.nz) and probably others. It's perfectly legitimate for a site linked to those countries.
NZ didn't allow registration of raw .nz domains until 2014 so anything registered before that was a .co.nz or similar. It's still more common than .nz due to inertia / muscle memory I guess. I get weird looks when I give people my (name).nz email address - usually people ask if I meant .co.nZ
BR went the other way. Registration of raw .br domains used to be allowed for universities, but AFAIK other than grandfathered registrations it's no longer allowed (new registrations have to use .edu.br).
My suspicion is that it was due to abuse; a long time ago, I noticed some university had registered IIRC .co.br (our correct equivalent to the .com gTLD is .com.br; this is a notable exception to the assertion above that "I rarely find a reputable business that is using anything but .com or .co.XX as the primary domain", since plenty of reputable businesses use .com.br as their primary domain, not .co.br which doesn't exist).
.de domains require a German postal address, so I would actually trust them more than the .ru equivalent. Plenty of other ccTLDs have even stricter nationality requirements for registration.
I’m disappointed at the arbitrary decision-making that lets the registrars deem certain domains to automatically be “premium” and mark them up appropriately. It feels like that’s an additional layer of extortion on top (doubly so when the premium price carries into the full renewal price, too).
So, to be clear, the following tend to be seen as problems by their interested parties:
* withholding tons of domains to watch them go up in value means people can't get those domains (scammers, regular people)
* registries do not make a high price when they sell high-value domains (registries)
* there's only so many words / groups of words that are easily typeable (everyone)
* reducing scarcity reduces the value of digital real estate (domain squatters / traders)
Which of these issues / values / interested parties are more important to help than others, and what, if anything, should change?
I, personally, tend to be in favor of reducing the impact of scalpers by increasing total available volume. As a consequence, I'm also willing to accept some terms for the registries that they get to set higher prices for the most premium of their domains to:
* sweeten the pot for both registries and registrars to even support all these new domains
* reduce a squatter / trader / speculator / scalper's ability to sit on vast tracts of digital land.
I think first year premium pricing makes a lot of sense. I'm not sure what the average time to sell is for a domain investor, but say it's 10 years for an easy example.
If you go from a standard registration price of $12 / year to a first year premium of $132, you double the 10 year carrying cost of a domain. That, naively, means domain investors can only speculate on half as many domains.
By having a first year premium price and then dropping domains back into the 'standard' tier, you also leave registrants with a semblance of price protections via section 2.10c of the registry agreement. As-is, premium domains have zero guarantees when it comes to premium renewal pricing.
There's a lot of room between squeezing domain investors and asking registrants to pay $100-1000+ per year for premium domains.
It's the registries not the registrars that classify some domains as premium. I think they're a risky product because you don't even get the limited price protections provided by section 2.10c of the registry agreement, but there seems to be a market for them [1].
> new gTLDs introduced in the last few years command just 11 percent of the market for new domains, but accounted for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.
> .com and .net domains made up approximately half of all domains registered...they accounted for just over 40 percent of all cybercrime domains.
Hardly earth shattering. .net and .com are still pulling 80% of their weight when it comes to cybercrime. And the article concludes that the main reason the new TLDs are disproportionately used is because you can sometimes buy them cheap in bulk.
Maybe the real story here is that the ccTLD registrars, who weren't mentioned, are disproportionately good at deterring cybercrime.
> Maybe the real story here is that the ccTLD registrars, who weren't mentioned, are disproportionately good at deterring cybercrime.
I think that some ccTLDs requiring positive identification, usually as a side effect of residency or nationality requirements, immensely help here (versus most gTLDs requiring f***-all identification).
I definitely don't want to move to a system where making a website needs both a government and a private corporation vouching for you. That's the worst case scenario.
.net and .com are still pulling 80% of their weight when it comes to cybercrime.
The article states it's half that.
"while .com and .net domains made up approximately half of all domains registered in the past year… they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share — 37 percent — of cybercrime domains were registered through new gTLDs."
You seem to be implying that 80% of com/net domains are used for cybercrime, which is not a sound conclusion from those numbers. You're confusing "percent of all domains" with "percent of crime domains". You can't just divide them to get something meaningful.
No, the statement was that ".net and .com are still pulling 80% of their weight when it comes to cybercrime." I read that as saying that .net and .com domains show up in cybercrime 80% as often as would be expected if all TLDs were equally likely to be used for cybercrime.
> John Levine is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.
I wonder if part of the "business model" behind the ever-growing gTLD list is that all the companies with well-known brands essentially have to also register their brand under the new TLD as well if they don't want to risk it being taken by criminals or competitors.
Why only make money once by selling apple.com if you can also sell apple.biz, apple.xyz, apple.froom etc ad infinitum?
I once worked for a big Hollywood studio and they finally stopped registering their name in every new .tld. They reasoned that if anyone used the domain in a way that is a trademark violation, then they could shut them down in court. Otherwise, they'd be chasing ever-increasing (extortion) rates for each new .tld.
I have always thought the infinite proliferation of TLDs was a stupid idea. I'd be enlightened if I could think of one scenario that benefits from it outside of the registrars.
There are lots of people called John Smith. They all want a domain name. There's only so many variations of jsmith, j-smith, etc you can squeeze into .com, .net, and a few others.
Why shouldn't they be able to buy a domain name which contains their name?
Is it useful to be able to differentiate between McDonald's the restaurant and McDonald's the legal firm and McDonald's garage?
Why shouldn't each of those industries get their own TLD?
The original list of TLDs aren't some platonic good written by ineffable sages. It's OK for things to change.
>There are lots of people called John Smith. They all want a domain name. There's only so many variations of jsmith, j-smith, etc you can squeeze into .com, .net, and a few others.
>Why shouldn't they be able to buy a domain name which contains their name?
I fail to see how johnsmith[insert number here].com is any worse than johnsmith.[insert TLD here]. If anything a number is less likely to get mixed up than tlds, which have confusing pairs like ".tech" and ".technology", or ".engineer" and ".engineering".
It's not about typos or mishearing stuff, it's about words being jumbled in memory. Unlike a sequence of digits, people don't store words "engineering" in their head as a string (eg. "E-N-G-I-N-E-E-R-I-N-G"). It's stored as something like "[concept of engineer] + [present participle]". That's far more likely to get jumbled in people's head during recall.
The only actual answer would have been to drain the TLD swamp and open up the root zone. Give us john.smith, website.jsmith, and mc.donalds. It's just a label anyway, and one that normies don't pay any attention to—save that even if they did, it's hard not to fall for mc-donalds.com or mcdonalds-restaurant.com anyway.
If the whole EV certificates thing would have been set up in a way that it wasn't just a money extraction racket, that would be the way forward. Let user agents convey whether a site is trusthworthy, and what entity it is connected to.
Domains are the ultimate identity system for building a more trustworthy internet without handing over control to some kind of verified ID scheme or being forced into publishing your personal details to gain credibility.
You can build reputation and trust using a handle, even if it's not associated with your real world identity. For example, I know that if 'ryao' replies to a question about ZFS, the response can be considered trustworthy. I don't know who that is or even what country they live in, but I know they're a contributor that isn't speculating or guessing when they reply and that's all that matters to me.
Domains can be used as verifiable, globally unique handles which simplifies things for the average user because it makes it easier to help users avoid impersonation and confusion if you can point them to something simple and verifiable. For example, look at Bluesky [1].
I've been wanting domain based namespaces and handles for a solid 5 years because it just makes sense. Here's my oldest mention of it (asking why package managers don't use domain verified namespacing) I have on HN [2]:
> It seems like a waste to me when I'm required to register a new identity for every package manager when I already have a globally unique, extremely valuable (to me), highly brandable identity that costs $8 / year to maintain.
You can tell it's old because .com domains only costed $8 back then. IMHO, domain based handles are the #1 reason to use Bluesky over X/Twitter. People used to spend $10-15k buying "noteworthiness" via fake articles, etc. to get verified on Twitter. I can't find any links because search results are saturated with talk of X wanting $1000 per month for organization validation (aka a gold check mark). Domain validation is just as good as that kind of organization validation, at least for well known individuals and organizations.
Given that, I think there would be a bigger market for domains if domain validated identities catch on. It could even spawn specialty gTLDs that do extra identity or notoriety checks (if that's allowed) or maybe attestations would become a big thing if there were an easy way to do them against a domain verified handle.
I would actually think that consumers (of domains) benefit more than the registrars, because there is more competition. If I want a specific word as a domain, there are multiple options of TLD for me.
DNS should be a destination, not a utility. Every John Smith has a legitimate claim on smith.com.
DNS should offer disambiguation services. Instead, we have this awful system.
My dream is to fork a browser and replace the DNS component with an entirely new protocol that respects the notion that people in the real world share names.
have you gone through the process of naming and securing domains for startups over and over again because let me tell you, it's brutal. the more TLDs, the better.
With a new crypto-friendly administration coming in, it's going to get much worse.
If you haven't been following this, there's a whole industry pushing "meme coins" via pump and dump operations. Some even admit they are pump and dump operations.
A friend of our family almost got scammed from a .top domain. They convinced her she needed 'tech support' and transferred $30,000 from her savings to checking and tried to get her to go to the bank to get more money. She got suspicious and got new bank accounts and thankfully didn't get any actual money stolen.
She's retired and it could have ruined her financially. I don't think she realizes how close she was to this.
The software they used bypassed windows defender because it was legitimate software called 'screen connect'. I was able to remove it pretty easily. It looked like a reverse-shell attached to a windows service (small .exe with no front-end).
Cyberfraud is infuriating when we know the victim, and depressing when you look how ripe the target space is, but the TLD is neither the most interesting thing about the crime nor what’s to blame, right?
There’s a lot of trust in a namespace system that doesn’t deserve it, although odds are you personally can use it to be immune to scams. What do we do for everyone else?
When I used to run my own email, .top and .xyz received an automatic -10 on spam evaluation. I can't remember a single legitimate website that I actually used and would have had an account on from these TLDs; all I ever saw was spam.
I use .xyz because I have a very common first and last name, and nearly all of the permutations of them were taken on .net, .com, .org, and .us; .xyz seems to price based on how desirable they think the name is, so I still couldn't get $FIRST-$LAST.xyz for a reasonable price, but I got something close.
I do too, aesthetically it's great. Unfortunately the rise in phishing from xyz domains means if you use it to send email your deliverability is likely to suck.
Domain names becoming cheaper (and having greater variety) is a good thing. Yes that comes with an equivalent rise in scam domains, but the answer isn't to add further barriers to entry for everyone else.
If you see a phishing link, you can perform a DNS A record request to find their IPs, typically behind Cloudflare. You can report them to Cloudflare. Their WHOIS record will tell you who their registrar is, and again you can report them there too. If they use URL shorteners, you can report those.
As much as some gTLDs are known for spam, it's dangerous to generalize certain domains as spam. I used to run a website with a somewhat niche gTLD and it was a headache getting blocked by spam filters who just blocked *.mygTLD
I use a .xyz for my personal domain (I could get my real name as the domain, and it was cheap). I use FastMail for email. Deliverability has been fine, with one exception - Radisson Red hotels. I’ve had two occasions in the last year when I’ve needed to email different Radisson Red properties, and both silently dropped emails from .xyz domains.
I've been blocking .shop, .top, .xyz, and several other new TLDs but only specific TLDs where we see high (or all) spam. For our org, this means I also block .in and .jp in SMTP, as those are almost exclusively spam for us too.
Which makes them particularly useless for a legitimate business since it’s likely they’ll be blocked, and begs the question of if they really have any purpose at all.
My primary catch-all email domain for accounts is at a silly TLD (.rodeo).
My biggest complaint is that some large retailers/services completely refuse to believe it is a valid domain. (I'm looking at you, Walgreens. You blocked me during a pandemic from signing up for a vaccine with my actual email address, which is why fuckwalgreens@myother.domain is now my email in your system.)
Dunno why he had to single out those 3 TLDs in his title. Doesn't really matter that they're the most registered, there's soooo many TLDs now and all equally susceptible to phishing use because users aren't looking closely enough (nor should they really? nobody even knows what a browser is vs 'the internet') or there's no way for anyone to know what's official etc. We needed more TLDs in general, this is just a side effect of the scale.
The problem is not new TLDs, the real problem with phishings in 2024 is that the free Cloudflare layer allows phishers to be protected from automatic phishing detection tools like the ones I develop at my current job.
They also don't offer any programs for trusted third parties so we have to spend a lot of time bypassing and paying for services that skip Cloudflare instead of taking down phishing sites.
it seems like if this is a problem, then the whole domain system is a problem.
there's nothing that makes .top or .xyz more problematic than .net or .org. if the assertion is that it's too confusing for people to pay attention to all the parts of a domain name, then why do domain names continue to have multiple parts? let's just deprecate everything other than .com and be done with it.
The correct way to identify the entity in the address bar is to display the O= (and country, if it differs from the requester) from the X.509 certificate.
URLs following a pattern is not a good way to authenticate a site.
And that’s the problem. I know I’m talking to “someone who has convinced Let’s Encrypt, US that they are foobar.com”. I have no idea if I’m actually talking to Foobar,
Inc. (incorporated in Delaware, US).
There is a standard, reliable register of business entities (typically called “Secretary of State”) and it should be trivial to know if the domain I’m talking to is owned by/part of that entity, that the X.509 matches, and so forth.
Facebook Messenger is E2E encrypted now (though obviously that's not going to prevent the developer from blocking links unless the client is also open source).
gTLDs also have cost risks like when .tech was taken over by a holding company and then 3x the registration price. Who knows about next year and the year after that.
On the contrary, when I'm given a fediverse or bsky vanity URL I'm inherently suspicious of the domain; and when I go there and see that absolutely nothing of consequence renders without Javascript, I am very much disinclined to whitelist anything, even if the page claims that it's just running a Mastodon instance or whatever. ("A likely story", you know.)
if someone gives me a fedi url I'm almost certainly going to read it on my instance so it doesn't have any stupid CSS so imo you really don't need to be whitelisting anything
Interesting! Now that you mention it, I did buy a .luxury domain for this purpose - a Gemini server. I also bought a .ski to have a domain with my (polish) last name.
It's great to be able to get silly domains for projects, back to the old days of IRC vanity hosts, but can you imagine seeing a link to something like jackets.luxury and going "yeah that seems legit, I'm definitely giving them my card details"
Yes that is completely normal and the my younger relatives would not even think twice.
In the TikTok and Instagram community people are spending billions not only on random domains (like tiedyeshirts.xyz) but often to venmo or zelle listed on profiles. My sister and thousands like her send money to faceless profiles to buy mystery boxes.
By that logic, would you pull out your credit card if you got linked jacketsluxury.com? .luxury is about twice as expensive as .com so I'm more suspicious of .com sites than of vanity TLDs.
I think there's a generational divide here, the older people seem to distrust more recent TLDs for some reason while younger people don't really care about them.
> John Levine is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.
Holy shit. CAUCE is a name I haven't heard in a long time. He's been around for a while and is one of the good ones.
The implication that gTLDs are bad and new ones shouldn't be introduced because of this is a bit silly to me. The argument that they somehow have lower registration requirements makes no sense, .shop .top and .xyz registrations involve the exact same amount of verification as .com (none). Prices aren't really that different and plenty of gTLDs are more expensive than traditional ones.
Registering a domain is frustrating these days, too many already taken and a lot of them by squatters not even intending to use it. I'd love to see more options personally even if it makes it slightly easier to create a phishing domain. We need better tools than memorizing a domain name to deal with that anyways.
I think the issue is you can register a known company name on one of these and plenty of people will think it's legit. Companies have to register on all these random domain to protect themselves.
dell.shop, that's probably the dell computer I know, right?
The people who would fall for that would probably also fall for `dell.computerdealshop.com` though
When a scam hits someone's inbox or text message, it finds them in a particular time in their life, in a particular state of mind, and in a particular context. It's not just about how gullible or uninformed or whatever they are. They may be tired, they may be drunk, they may be spending all their energy worrying about a sick relative, or trying not to.
They may have just been shopping for a computer, maybe even a dell. Or maybe they need a computer for their kid and don't have the means to afford one and are more likely to fall for a scam advertising a good deal on a computer than for any other scam.
These all add to the probability that someone falls for a scam. Phishing is all about casting a wide enough net that the probabilities align against some of the people you hit at the time you hit them.
Victims are not just uninformed. They are also compromised, and/or incentivized to believe this particular scam, and/or unlucky enough that the scam takes place when they were recently engaged in activity that makes the scam more believable.
Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general. The eye sees dell first in clear letters for both urls. Their sick relative doesn’t change much here. I would honestly not be sure if either is a scam for the url alone. The improbable deal at the other end is the only meaningful signal.
> Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general.
It isn't. People fall because probabilities align. Something can catch their eye to knock them out of it.
A bad URL is a bad probability (for the scammer) in the chain, a really good URL is another good probability. If your assessment is that both URLs look equally good/bad to you, I, of course, won't deny that claim about your own experience. But to my eye, dell.computershop.com looks pretty bad and dell.shop looks pretty good.
I only answer my phone if I'm in the middle of getting a loan and so expecting a call from some unknown number at any time, and even then some numbers look too phishy to answer. The last time I got a loan I got a call from a local area code near the bank, answered, and found myself talking to a scammer about a loan. It was confusing, I believed it was the bank at first! Everything needed to align for them to get that far, including the phone number looking legit to my eyes. To someone else's eyes a number halfway across the country may have looked just as legit. Or the nearby number may have looked instantly bogus. This is exactly my point!
Just the fact that you had your credit report pulled for a loan qualification is immediately sold to ad brokers by the credit bureaus, who will sell it on down the line to less and less scrupulous buyers. It's not surprising to me at all that you got a scam call about a loan while you were in the process of legitmately applying for a loan.
I now ask businesses like these "what number will you call me from" and I put that in my phone as a contact, so that my phone will ring. If they call me from any other number I won't see the call.
Most people don't understand URLs.
Remember that Google was (is?) trying to remove the URL bar. Not just because it reinforces search as the main product and gateway to the web, but also because URLs are kind of hard for most people.
Which brings us to the original argument: is this a reason to ban gTLDs? Surely the cost of banning gTLDs outweighs the enormous benefits of making it easy for society's productive users to find names they like.
We also shouldn't discount the incredible benefit of having additional namespaces and markets positioned against domain name squatters. gTLDs linearly increase the costs to squatters. Good names can be found with lots of alternative gTLD offerings, which greatly increases the supply side for builders and entrepreneurs.
Ultimately gTLDs probably won't be banned simply because there's money to be made by the ICANN and registrars.
Many people do not understand URLs, many people do, and many people have an understanding in between. And they are all targets for scammers.
And I don't think gTLDs should be banned! But I don't like bad arguments even when they support my preference.
And then there are plenty of companies who put some legitimate part of their business on a wonky gtld domain they only bought so that it's not bought by a scammer. Systems run by the investor relations department might run on examplecompany.biz, some hiring SAAS on examplecompany.work, the CRM on examplecompany.business and the tech support occasionally instructs someone to get a preview update from examplecompany.cc. Not because that's a smart thing to do, but because coordinating namespaces is not easy and dedicating an otherwise unused domain only bought to keep out the scammers is a tempting shortcut. And because training internet users that sometimes wonky TLD are ok is an externality.
dell.shop is more believable than dell.computershop.com because shorter urls seem more believable and valuable.
If you don't agree I have a computershopthatisreallycoolandcheap.com to sell you.
> Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
I see this and raise you HP using domains like h30434.www3.hp.com for decades now. They only started to disappear fairly recently. Many companies will do it and people don't really care.
> Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
Would love to see citations for that.
Here's one [0]!
[0] : https://news.ycombinator.com/item?id=42307876
It's just a claim. There's no support for that actually happening. And no real source.
It would be nice if browsers surfaced the information about when you last visited a site. In the certificate information panel for Firefox you can find things like, "You visited this site 1067 times before" which is helpful information when evaluating if you're on the site you think you're on.
They're different. Companies register all kinds of crazy domains and redirect you through them all the time. Why is it crazy that some marketing person at Dell thought it would be cool to link people to 'dell dot shop'? I would check the certificates, but honestly only as a precaution. If the website looks correct that isn't such an insane thing.
That is exactly why it's so dangerous and effective versus your example.
> I would check the certificates
What good does that do? It is pretty rare for companies to get an EV or OV certificate, since it is more expensive and more hassle than a DV cert, and even when they do, the name on the cert isn't always what you expect since it might be the name of the owning company, not the brand you are familiar with.
Whois on DNS isn't always reliable either, since it often just points to another company that provides a dns service (such as AWS).
> Companies register all kinds of crazy domains and redirect you through them all the time
That's the real problem with domain trust these days. Companies go out of their way to make sure you know to only visit official links, and then do stupid stuff like buying vanity domains for one-time deals, or make you click through mailchimp tracking URLs because marketing tracking is more important than your customers falling for phishing. Those vanity domains then end up expiring, and now emails and web links that used to go to an official $brand server are all ready to be swooped up by scammers. Customers never stood a chance.
This isn't a TLD problem. It's a shitty company problem.
I wholeheartedly agree. Subdomains exist for a reason. Vanity domains are so incredibly sloppy and unserious.
Another issue is that they can make password management more of a chore. Every time I need to look up my Microsoft login, I have to remember to actually look up “live.com”. Except sometimes the login page is served from “microsoft.com”. Oops, you forgot your password and reset it; now your password for the other domain is out of date. Utterly ridiculous behavior from a company of their stature.
This made me think I'd somehow not saved my MS password because it wouldn't show up if you searched "microsoft". I know you can combine them like the other comment mentioned but what an awful default experience.
bitwarden can list multiple domains in one entry for a password - it might be good to find out if you're manager can do that and merge some?
That seems like the textbook definition of a bandaid solution. Does that even work for the new hotness, passkeys?
1Password too. This is a must-have feature for me.
iCloud Keychain can too, and I’ve already done that. It’s still an annoying and pointless extra step.
There is no domain trust problem, because there is no trust to be had on domains.
do you trust that you are on Hacker News right now?
What I meant was that you can not put any trust in the contents of DNS labels, they should be handled as opaque blob-like identifiers. The only meaningful thing you can do with domain name is to compare it's labels to some reference.
So no, I don't trust that I'm on HN because of I put any trust in the domain "news.ycombinator.com" signifying anything. I only trust that I'm on same HN that I was on yesterday because the domain matches exactly the reference value. But the domain name could be anything, as long as it is stable.
Maybe it would be better to say "there is no inherent trust on domains". I trust HN today because I was on HN yesterday, and the day before, and last year, and 10 years ago, etc., and it's always been trustworthy (so far as I know).
But if I saw a link tomorrow for hackernews.shop and I went there, I'd be very suspicious.
> do you trust that you are on Hacker News right now?
Is Hacker News asking for my credit card or impersonating any other site?
where am I…??
A little searching shows Dell have dell.to, used as a link shortener, even though Dell has little business in Tonga.
Maybe companies should stop doing that then ? Also, homonyms aren't uncommon for smaller companies, especially across the world.
EDIT : and ninjaed...
Have you seen the domains Microsoft uses? Half the time I am not sure if they are genuine or not, it's actually crazy. Sometimes they use .com, other times .ms. Sometimes Microsoft is in the top-level other times it's in the second-level. Sometimes they have no subdomain, sometimes they have two. It's utterly inconsistent and it's insane to me how close some of them look to actual phishing domains...
If you get credits for Azure they're accessed through microsoftazuresponsorships.com. Why not sponsorships.azure.microsoft.com or something like that? I checked it three times when I got the link, because it's exactly the kind of domain someone would use if they were going to steal your Azure credits.
That's hilarious..
It is not actually important as you know you cannot trust microsoft more than the usual scammer anyway.
Maybe, maybe not. [citation needed] But store.apple.com is perfectly legit, so what’s wrong with apple.shop[0]? Sure, you and I know that one is a subdomain and one is a TLD. How many random folks on the street in Des Moines know this? 15%? Less? “Say what? It matters which end the ‘shop’ part is on? Whose brilliant idea was that?”
[0] sigh Apparently nothing is wrong with it, as it redirects to apple.com. So much for that example; take in the spirit intended.
There aren't "people who fall for phishing" and "people who don't", generally speaking. I know highly intelligent and talented people, well educated in general online security, who have fallen for phishing links and scams.
It's certainly possible to strongly protect yourself though, vs casually relying on intuition which is hopeless. You just need to establish a process or set of rules to follow. Businesses do this all the time. A classic scam is sending an invoice asking for payment, and some disorganized businesses will just pay you! But those with a process won't because you won't be able to give them a matching purchase order number and other things their process needs.
A basic personal protection is to not trust anyone who initiates contact with you, no matter who they say they are or what they know about you. Verify by contacting them independently instead.
Very true. My dad (late 60s) has written a DNS server, but still nearly fell for an email scam when he was sleep deprived and at the airport believing his flight was overbooked and he was going to be kicked.
I am unlikely to fall for either of them, but given compromising factors as mentioned by the other commenter, I am much less likely to fall for dell..com than dell.
Due to the widespread usage of 3+ common TLDs (com, org, net, etc.) and arbitrary third-level domains, people have been trained that the second-level domain is the one that matters. Now that gTLDs are more common I've needed to retrain my brain that the TLD is also a necessary heuristic for authenticating websites.
Even aside from that, you probably want to register your own .sucks and .rocks, which just means whoever operates that registry gets to make a bunch of money from companies squatting domains that nobody wanted and bring no value to the world.
That’s kinda the point. Scammers want to deal with the poorly informed, the gullible, the vulnerable. They concomitantly prefer that the wary and street-smart select themselves away. A marketing professional would recognise the effective segmentation going on, and every new TLD is an opportunity in that regard.
I do not think so. I think if someone would have made an effort to rip off the real Dell site I would fall for it. I am just so lucky that scammer mostly prefer to go after the easier marks.
I am not sure what a better solution could be. The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.
I do however still prefer more gTLDs to minimize domain squatting.
> The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.
The idea was bad.
Anybody can open the Dell Flower Shop. They can call their company Dell Inc. and register the domain dell.shop and they're not doing anything wrong, because they're in a different industry and nobody is going to confuse a tulip with a laptop. And then they could get an EV cert that says Dell Inc. -- because that's who they are.
Which is why EV certs are worthless. Just because it says Dell doesn't mean it's that Dell. There can be arbitrarily many companies with the same name in different industries or locations. But then what is the certificate supposed to tell you that gives you more information than the domain name? The average person is not going to know a company's registration ID with the relevant secretary of state, or generally even what state they're incorporated in.
Also depends on how their browser shortens the display of the URL
People would fall for `dell.scam` too, it's a number's game.
Answers like this, that basically call the users idiots and abdicate any responsibility on the part of tech, are a losing long-term business proposition. Figure it out and gain loyalty and market share.
I'm doubtful that most non-technical people familiarize themselves with TLDs/domain names. They use a search provider for whatever they need. As far as emails/phishing goes, it's a game of cat and mouse; it will never be over. Basically, don't trust unprompted email links and just go to the site if it's something you really want.
The always-search-instead-of-bookmark practice is then introduced this situation https://www.bleepingcomputer.com/news/security/sneaky-amazon...
Its really an unsolvable cat and mouse game without proper familiarising oneself with the dos and don'ts of the internet.
I wonder if we could add some type of verification registry. It would be nice if browser's could have a big indicator saying that this website is verified to associated with Dell inc.
Some HTTP certificates do exactly that, and web browsers used to show the company/identity the certificate was issued to in the URL bar. Now you have to go to the certificates detail, very clear on Firefox, behind a few clicks on Chrome. Here's an example from a bank in Spain: https://www.bbva.es
HTTPS certificates should do exactly this.
They should. And sort of already do. Though, I wonder how difficult it is to register with some certificate issuers under a fraudulent name.
That was EV certificates. They were finally removed from browsers completely around five years ago because they didn’t actually work. At all. The problems were largely social. Plenty has been written about it, you can find it by searching.
Well, the original HTTPS certificates too were supposed to work like that; I remember reading a security article criticizing the EV proposal by quoting the old (circa 1998?) policy statements of different CA's and showing that they're pretty much identical to the EV requirements.
> Companies have to register on all these random domain to protect themselves.
"Nice business you got there. Shame if a scammer bought your name on my new TLD."
[dead]
Yep that's the issue, I'm just saying I'd rather have that problem than the one where I can't register a clean looking personal domain because every idea I have is already registered (with 95% of them leading to a parking page untouched for years except to pay the bill). Feels like we just need more names available and I don't see how else we could get them.
Is dell.com, dell.co.uk and dell.ee owned and backed by the same corporation?
[dead]
[dead]
The implication that gTLDs are bad and new ones shouldn't be introduced because of this is a bit silly to me.
That wasn't what the article stated. The article stated that the problem is that the new TLDs are so cheap as to be disposable, and the registration requirements are lax. The combination makes them attractive to criminals.
It's literally the first sentence of the article:
"Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds."
The problem is the new gTLDs don't increase the useful supply of domains.
For casual usage like personal blogs and whatnot? Sure, use whatever.
But if I was starting a web-based business and couldn't afford the .com? I'd rename the company before I'd use .xyz - if your business takes off the squatters will notice and raise their prices, so the .com will never be cheaper.
If you got an "urgent e-mail" saying your employer needed you to confirm you're legally allowed to work, and they directed you to experianrtw.app - would you go there and send them a photo of your passport?
There are a few options, though. The fact that .io got so popular shows that we are not forever chained to .com. It's just that a lot of the nuTLD options are honestly hilariously bad, most of them are just lame. My personal top picks are ".online" and ".software" with mention to ".network" but they're all WAY too long. I actually use ".cafe" for my personal stuff because it's short and cute. Obviously can't use that for your SV rocketship company though.
Would it have been so hard to sit down and pick a couple short ones - yknow, ones people might actually use?
Unfortunately, .io is now also unsafe with the upcoming transfer away from the UK; another cautionary tale for those considering not getting a .com.
I’ve been seeding government and business forms with a .io email address for years (to counter gmail dominance), and I’m quite concerned about the situation now.
That's because it's a ccTLD, not because it's not dot-com though. The powers that be could very well decide to just promote it to be a gTLD if they wanted to not destroy stuff for no reason. Actual gTLDs aren't susceptible to the same kinds of issues.
> The powers that be could very well decide to just promote it to be a gTLD
No, they can’t do that. Every two-letter TLD is defined to be a ccTLD, and nothing else.
If they did that anyway, who would stop them? This seems like a great time to make an exception.
Literally, these are arbitrary strings following arbitrary rules. It's time to ditch ICANN and develop a parallel DNS that makes sense for today not the 90s.
Yes they can. They did it before after the Soviet Union broke up and they kept the .su TLD. It's still active. I'd argue that keeping around .io is more important than keeping .su around, seeing how many people and businesses use .io domains.
The Soviet Union ceased to exist. As long as the British Indian Ocean Territory is not breaking up or otherwise dissolving, it still is allocated a ccTLD.
But it is dissolving.
I use .network for my internal network with a proper FQDN. This allows me to get certs for internal services that validate in all browsers.
If I got an 'urgent email' I wouldn't go to any domain, I would contact my employer directly and confirm with them before doing anything. The people who would fall for this phishing scam would fall for almost any domain, because it's not about the domain.
Millions of people don't have an employer with an HR department they can call on the phone to confirm that an email is legitimate.
What if your primary source of income is Uber or Doordash or Etsy or Youtube?
All of these have support contacts for drivers/dashers/etc. Eg https://help.doordash.com/dashers/s/dasher-support?language=...
What it you get an email from [yourbank].bank? Or if your mother got one?
It's never a single signal, and the more legitimate a domain looks, the bigger a chance is that someone fells victim to a scam.
Bad example. The requirements to register in .bank are quite rigorous (see https://register.bank/eligibility/). Phishers typically go for TLDs that impose far fewer requirements on their registrars.
The lions share of issues with domains would go away if we made squatting illegal, or at the least, extremely expensive.
Tbh I'm increasingly thinking that just about any speculative instrument in the economy is just grift and drag. If you want to make money, make things. Stop trying to extract rent or exorbitant prices for land, for domains, for PS5s, etc. Feels like 9/10ths of the economy now is nothing but fucking middlemen, when we have a dearth of need of ANY middlemen at all anymore.
>The lions share of issues with domains would go away if we made squatting illegal, or at the least, extremely expensive.
How do you define squatting? Is the owner of nissan.com "squatting" on it because he wouldn't sell to the japanese car company? How much interest do you need in a given domain before it's not squatting?
I would argue if you aren't doing some combination of:
- Hosting a website
- Operating email accounts
- Infrastructure (mail, DNS, etc.)
- Misc. Services (Minecraft server, TeamSpeak server, something)
Then you're squatting. Like if you own turkeyonapig.com and it's literally just a web page with a picture of a turkey sitting on a pig? Not squatting. It's odd but it's clearly doing exactly what it's meant to be doing. If you own turkeyonapig.com and are doing nothing but advertising that fact, and that someone can buy it? Squatting.
> Is the owner of nissan.com "squatting" on it because he wouldn't sell to the japanese car company?
I mean, it depends. One would argue that people going to nissan.com are clearly looking for the Japanese car company, so it's in the public's interest that that domain be sold to them. On the other hand, if someone owns it and is using to run a Nissan fan website? Well I suppose that's trickier, but that would also probably be better suited to something like nissanfans.com.
It's a tricky thing but not impossible to figure out.
>I would argue if you aren't doing some combination of: [...]
cloudflare offers free website hosting and email forwarding, so it's basically free for a squatter to check those boxes.
>I mean, it depends. One would argue that people going to nissan.com are clearly looking for the Japanese car company, so it's in the public's interest that that domain be sold to them.
So you basically want the Kelo v. City of New London decision to be applied to domains as well? You own "erictrump.com" but aren't the president-elect's son? Well tough luck because it's "in the public's interest" that president-elect's son gets it rather than you.
> cloudflare offers free website hosting and email forwarding, so it's basically free for a squatter to check those boxes.
Sure. But it still takes time, or as someone else suggested, a GPT query. Putting literally even the tiniest amount of work in front of squatting will reduce the amount of squatting.
> So you basically want the Kelo v. City of New London decision to be applied to domains as well? You own "erictrump.com" but aren't the president-elect's son? Well tough luck because it's "in the public's interest" that president-elect's son gets it rather than you.
I mean, it is. And putting the phrase in scare quotes isn't a counterpoint.
One could argue in fact that one of the multitude of reasons for the rise of platforms is that it's so hard to find anything on the actual internet, and part of that in turn can be blamed squarely on squatting.
You can boil it down to: are you offering it for sale? If yes, squatting. If not, early bird gets the worm. You should be able to own a domain name and not be required to do anything with it beyond paying the registrar to legitimize your ownership.
> It's a tricky thing but not impossible to figure out.
Good to hear. So after that you'll be sorting out world peace - right?
I really don't think eliminating domain squatters is some impossible task. you could probably just tax sales of domain names to death (90% sales tax on any resold domain names) to disincentivize it vs registration upkeep costs.
Squatters are a massive blight on the internet.
The problem goes way beyond domain squatting. You have a limited resource, say nissan.com, and you have several valid claimants. Who gets to decide what's fair? First past the post? Heaviest pocket book? Biggest stick? Popular acclaim? ...
Is not unique to domains, this is why the world is uts.
I don't intend to solve this problem entirely, just to displace this business model of squatting domains, which is a massive waste of domain space.
First past the post is "good enough" for me if the intrinsic value of the domain to you is greater than the domain registration fee of like 3-10 bucks a month.
There shouldn't be a major reselling market, that would be like if the majority of space in the yellow pages was just advertisements that said "your business ad here!"
Make the transaction in a country that doesn't have such a tax?
The tax would be done by the registrar or ICANN or whatever (although throwing more money at them might increase corruption of their bureaucracy, oh well). You could burn the money for all I care.
If you get caught, the domain is blacklisted. Ownership transfer is public, so there is little incentive for buyers to go with this route.
Do they or even should they have the authority to demand that people correctly report the prices they trade domain names for?
And you think a domain squatter would be deterred by high pricing and not just point every single domain to a VPS with a „Hey guys buy my domains“ page? Or even just point them to any random IP, since DNS is one of the legitimate uses you named?
I mean that's basically what most do now. I'm saying the domain should direct to an actual website, irrespective of how useful or large it is.
See my example of turkeyonapig.com.
> a web page with a picture of a turkey sitting on a pig? Not squatting
GPT/Cursor will create that page for you in 5 min. I bet a NotSquattingAsAService startups will appear which will create the "not squatting" fake site for you for $2.
I mean, that's an improvement in my mind over millions of insipid "BUY THIS DOMAIN!" web pages. At the least the internet would be more interesting?
But also like, then you aren't advertising it for sale. So I'm wondering how many offers you're going to get to sell that domain, which is the point of squatting it.
That's not how most squatting pages are sold. They are registered for sale in places like NameCheap and you can see it directly when you search for domains.
NotSquattingAsAService startups will appear which will create the "not squatting" fake site for you for $2.
That's an improvement. Adding $2 to $5 to the cost of a squatted domain will start to dissuade people who squat on tens of thousands of domains, if they have to suddenly have to pay $20,000 to $50,000 for the not squatting service.
>That's an improvement. Adding $2 to $5 to the cost of a squatted domain will start to dissuade people who squat on tens of thousands of domains
There's no way static site hosting and a email service costs $2-$5 per year per domain, especially for bulk users. Even if we take that price at face value, a .com domain already costs around $10/year. A 20%-50% increase will only change behavior at the margins. It won't make chat.com magically become available, and at best will make some D tier domains available. Ironically the introduction of gTLDs probably had the same effect. Squatting harrisonburgrealty.com is suddenly going to be less profitable when there's harrisonburg.{realty,realestate,realtor,homes,house,place,properties,rent,apartments} available as well.
To be clear, when I said make it cost more, I was thinking more like taxes. Similar to how we should be taxing vacant homes to raise the cost of keeping empty properties and lower the rents in turn.
Nissan is the guy's name. Come on.
It doesn't matter if you're just a dude or a corporation, you play by the same rules. There isn't anything to solve here. These problems are solved between those those 2 parties and no one else.
Good Lord. It's in the public's interest it remains this way.
Another person here had it right, companies have been playing with fire with their URL shenanigans. From one time TLDs to abusing tracking parameters. Not to mention browsers in their insane quest to strip useful information out off their UIs, making you CLICK to see who owns the place. Clown world really.
It's not a particularly hard problem. Most countries have rules on what you can use as a business name or register as a trademark. Domain names are just more of the same.
And you don't really own your domain. You are just renting it from whichever authority is responsible for the TLD. If you stop paying, the authority will eventually take it back.
Trademarks are specific to the field it is used on. Classic example is Apple Records vs Apple Computers, which one should get apple.com?
And there are also businesses with identical names. But the basic idea was already established long before the internet. If you have a legitimate claim to a name, you have a legitimate claim to that name. There may be multiple entities with a legitimate claim to a particular name, in which case the first one that used it in a particular context gets to use it in that context. And if you think that someone is using a name you have claimed in a misleading way or acting in bad faith, you can sue them and let the courts decide.
The problem is that as you note, trademarks and company names are not unique, but domain names are required to be unique. So that n to 1 relationship between trademarks/names and domain names intrisically creates problem, how to allocate the domains when there are many equally legitimate pre-existing claimants. This is not solved problem the way you portray it, because domain names have this novel uniqueness requirement.
Of course this raises valid question if using names in this way at all is a good idea. For example telephone system and lots of banking stuff is based on simple numerical identifiers, and lots of countries have also some unique (numerical) identifiers for companies and persons. So there is fairly strong precedent for using assigned ids instead of names when uniqueness/specificity is required. But somehow we have jumped to the conclusion that for example IP addresses would be too confusing to average joe, and in attempt to hide them we have created even more confusing system.
Many countries already solved this problem with their ccTLDs decades ago. It only required taking the established practices and applying them to a new class of names. There are always some edge cases, but domain name assignment is pretty much a solved problem.
If you're starting a new company, squatters are not a real problem. Just pick another name. If your favorite name is so valuable that it's squatted, then it's valuable! The squatter was reserving it for you, the only company that could really make good use of it, instead of some random personal blogger who happened to walk in first and would wasted its high value.
Also, what's the difference between a squatter and a personal blogger?
What looks like squatters might also be people who just want their own domain only for email, not hosting.
Or are hosting non-public services and want TLS certs that all my devices trust automatically, like me.
That's certainly an issue. There have been a number of cases where companies have demanded that people hand over domain that they "where not using". Not using being defined as "does not have a website".
It feels like there should be some way of determining if a domain is actively being used, to combat squatters, but when ever someone tried to make a rule it ends up being something stupid, like not having a website.
Email is one of the easier services to detect; not only does SMTP specify that the server sends a greeting before authentication occurs, but there's also a bunch of DNS records just sitting there in full view. I'd say it's easier to detect real usage with email than with HTTP, because, to my knowledge, nobody runs an MTA just to say 'this domain is for sale' like they do on the Web!
Including me.
gTLDs don't really solve the problem of running out of domain names any more than doing it yourself like myname-shop.com There are too many gTLDs for anyone to remember so they're really just an arbitrary extension on the 2nd/3rd level name.
The whole environment of the newer gTLDs just feels… gross. I rarely find a reputable business that is using anything but .com or .co.XX as the primary domain.
Putting on my regular-person hat: When I see a billboard or print ad with e.g. `example.travel`, I read that as a social media handle and not a website address like `example.com` would convey. In public perception, dot com means websites. Always has.
(Tangentially, the `.sucks` TLD in particular should never have been allowed. How many brands out there have to maintain a perfunctory registration there just to prevent somebody else from doing so?)
>(Tangentially, the `.sucks` TLD in particular should never have been allowed. How many brands out there have to maintain a perfunctory registration there just to prevent somebody else from doing so?)
The entire reason for allowing that TLD is a presumption that brands are not entitled to prevent the registration of domains which exists specifically to criticize them.
Ok, but now 1 company/squatter can buy all the top .sucks sites... is that much better?
> When I see a billboard or print ad with e.g. `example.travel`, I read that as a social media handle and not a website address like `example.com` would convey.
This is where I think the new gTLDs registries could do better. Using your domain as a handle on Bluesky is a perfect example of something they could push for to grow the industry, but they seem to think the status quo with a sprinkle of price discrimination is the winning formula.
Most of the new gTLDs work great as domain verified social media handles, but no one is going to use them for that if all the good keywords are classified as premium with $100+ annual renewal fees. However, if you make them too cheap and they get popularized, domain investors will register everything good and try to flip them.
I think first year premium pricing strikes a good balance that doesn't limit novel, non revenue generating use cases too much. Charging $100-200 for the first year causes a very large increase in the amount of capital domain flippers need to invest to acquire a large portfolio of good names.
If Bluesky catches on I think we could hit a point where non-technical people are suddenly shocked when the see someone "using their social media handle for a website." Getting back to having people understand there's more than just Facebook and Twitter would be a step in the right direction IMO, so it would be nice to see Bluesky continue to gain popularity.
Remember reading Ford Motor Company already registered FordSucks.com and a bunch of permutations of that way back when.
I never deal with co.xx to be honest. Most websites I visit are on ccTLDs. Whenever I see a .com link to any local business, I start out by assuming it's a scam website.
That said, .app has found plenty of adoption. Tech companies absolutely love .io and .ai is now also gaining popularity. The good American URLs have all been bought years ago so people flock to ccTLDs and gTLDs for new products and businesses. Even .engineering has a few interesting businesses on it these days.
As for .sucks, it's clearly a cash grab, but banning it hardly solves a problem. ycombinatorsucks.com is a lot cheaper than ycombinator.sucks, and if ycombinator pre-emptively buys ycombinatorsucks.com, you could just buy ycombinatorisshit.com or ycombinatorisadoodoohead.com.
This is very regional.
.co.xx is common in Britain (.co.uk), Japan (.co.jp), New Zealand (.co.nz) and probably others. It's perfectly legitimate for a site linked to those countries.
NZ didn't allow registration of raw .nz domains until 2014 so anything registered before that was a .co.nz or similar. It's still more common than .nz due to inertia / muscle memory I guess. I get weird looks when I give people my (name).nz email address - usually people ask if I meant .co.nZ
BR went the other way. Registration of raw .br domains used to be allowed for universities, but AFAIK other than grandfathered registrations it's no longer allowed (new registrations have to use .edu.br).
My suspicion is that it was due to abuse; a long time ago, I noticed some university had registered IIRC .co.br (our correct equivalent to the .com gTLD is .com.br; this is a notable exception to the assertion above that "I rarely find a reputable business that is using anything but .com or .co.XX as the primary domain", since plenty of reputable businesses use .com.br as their primary domain, not .co.br which doesn't exist).
> I rarely find a reputable business that is using anything but .com or .co.XX as the primary domain
What about all the other ccTLDs? Okay, maybe not .ly, .by, .ru and friends, but what do you have against .it, .fr, .de, es?
.ly, .by and .ru are legitimate in their own context.
https://www.mos.ru (Moscow's city site), https://www.belarus.by/ (Belarus' tourism site) and https://libyaobserver.ly (Libyan newspaper) are three examples.
And I'd be almost as suspicious of buy-viagra-pills.de as I would be of buy-viagra-pills.ru.
.de domains require a German postal address, so I would actually trust them more than the .ru equivalent. Plenty of other ccTLDs have even stricter nationality requirements for registration.
I’m disappointed at the arbitrary decision-making that lets the registrars deem certain domains to automatically be “premium” and mark them up appropriately. It feels like that’s an additional layer of extortion on top (doubly so when the premium price carries into the full renewal price, too).
So, to be clear, the following tend to be seen as problems by their interested parties:
Which of these issues / values / interested parties are more important to help than others, and what, if anything, should change?I, personally, tend to be in favor of reducing the impact of scalpers by increasing total available volume. As a consequence, I'm also willing to accept some terms for the registries that they get to set higher prices for the most premium of their domains to:
I think first year premium pricing makes a lot of sense. I'm not sure what the average time to sell is for a domain investor, but say it's 10 years for an easy example.
If you go from a standard registration price of $12 / year to a first year premium of $132, you double the 10 year carrying cost of a domain. That, naively, means domain investors can only speculate on half as many domains.
By having a first year premium price and then dropping domains back into the 'standard' tier, you also leave registrants with a semblance of price protections via section 2.10c of the registry agreement. As-is, premium domains have zero guarantees when it comes to premium renewal pricing.
There's a lot of room between squeezing domain investors and asking registrants to pay $100-1000+ per year for premium domains.
If memory serves me, first year premium pricing is definitely a thing for some domains on some tlds with some registrars.
Though I can also definitely understand why, for example, "lawyer.lawyer" would cost $$$$ every year, too, at least myself.
It's the registries not the registrars that classify some domains as premium. I think they're a risky product because you don't even get the limited price protections provided by section 2.10c of the registry agreement, but there seems to be a market for them [1].
1. https://domainnamewire.com/2024/08/28/radix-sets-record-for-...
Really? what about countries that allow just .ccTLD?
> new gTLDs introduced in the last few years command just 11 percent of the market for new domains, but accounted for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.
> .com and .net domains made up approximately half of all domains registered...they accounted for just over 40 percent of all cybercrime domains.
Hardly earth shattering. .net and .com are still pulling 80% of their weight when it comes to cybercrime. And the article concludes that the main reason the new TLDs are disproportionately used is because you can sometimes buy them cheap in bulk.
Maybe the real story here is that the ccTLD registrars, who weren't mentioned, are disproportionately good at deterring cybercrime.
> Maybe the real story here is that the ccTLD registrars, who weren't mentioned, are disproportionately good at deterring cybercrime.
I think that some ccTLDs requiring positive identification, usually as a side effect of residency or nationality requirements, immensely help here (versus most gTLDs requiring f***-all identification).
I definitely don't want to move to a system where making a website needs both a government and a private corporation vouching for you. That's the worst case scenario.
.net and .com are still pulling 80% of their weight when it comes to cybercrime.
The article states it's half that.
"while .com and .net domains made up approximately half of all domains registered in the past year… they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share — 37 percent — of cybercrime domains were registered through new gTLDs."
> The article states it's half that.
No, the article agrees with dmurray. Read again: 80% of 50% is 40%.
You seem to be implying that 80% of com/net domains are used for cybercrime, which is not a sound conclusion from those numbers. You're confusing "percent of all domains" with "percent of crime domains". You can't just divide them to get something meaningful.
No, the statement was that ".net and .com are still pulling 80% of their weight when it comes to cybercrime." I read that as saying that .net and .com domains show up in cybercrime 80% as often as would be expected if all TLDs were equally likely to be used for cybercrime.
> John Levine is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.
He's from pre-gold-rush Internet, and still making the net better: https://en.wikipedia.org/wiki/John_R._Levine
OT, but man, I remember reading that book when I was a kid. Then started reading HTML books and, of course, the Llama book.
I wonder if part of the "business model" behind the ever-growing gTLD list is that all the companies with well-known brands essentially have to also register their brand under the new TLD as well if they don't want to risk it being taken by criminals or competitors.
Why only make money once by selling apple.com if you can also sell apple.biz, apple.xyz, apple.froom etc ad infinitum?
I once worked for a big Hollywood studio and they finally stopped registering their name in every new .tld. They reasoned that if anyone used the domain in a way that is a trademark violation, then they could shut them down in court. Otherwise, they'd be chasing ever-increasing (extortion) rates for each new .tld.
Ultimately every trademark/company has to buy all the domains under their soon to be gTLDed trademark/company.
apple.* takes time to gather revenue. *.apple gathers an infinite amount of money quicker.
I have always thought the infinite proliferation of TLDs was a stupid idea. I'd be enlightened if I could think of one scenario that benefits from it outside of the registrars.
There are lots of people called John Smith. They all want a domain name. There's only so many variations of jsmith, j-smith, etc you can squeeze into .com, .net, and a few others.
Why shouldn't they be able to buy a domain name which contains their name?
Is it useful to be able to differentiate between McDonald's the restaurant and McDonald's the legal firm and McDonald's garage?
Why shouldn't each of those industries get their own TLD?
The original list of TLDs aren't some platonic good written by ineffable sages. It's OK for things to change.
>There are lots of people called John Smith. They all want a domain name. There's only so many variations of jsmith, j-smith, etc you can squeeze into .com, .net, and a few others.
>Why shouldn't they be able to buy a domain name which contains their name?
I fail to see how johnsmith[insert number here].com is any worse than johnsmith.[insert TLD here]. If anything a number is less likely to get mixed up than tlds, which have confusing pairs like ".tech" and ".technology", or ".engineer" and ".engineering".
Surely the number 14 is likely to get misheard as 40. And 13135432 is easily typo'd to 13134532.
It's not about typos or mishearing stuff, it's about words being jumbled in memory. Unlike a sequence of digits, people don't store words "engineering" in their head as a string (eg. "E-N-G-I-N-E-E-R-I-N-G"). It's stored as something like "[concept of engineer] + [present participle]". That's far more likely to get jumbled in people's head during recall.
The only actual answer would have been to drain the TLD swamp and open up the root zone. Give us john.smith, website.jsmith, and mc.donalds. It's just a label anyway, and one that normies don't pay any attention to—save that even if they did, it's hard not to fall for mc-donalds.com or mcdonalds-restaurant.com anyway.
If the whole EV certificates thing would have been set up in a way that it wasn't just a money extraction racket, that would be the way forward. Let user agents convey whether a site is trusthworthy, and what entity it is connected to.
And… predictably, johnsmith.com ends up offering no utility to any of the John Smiths out there because it’s being held for ransom by a squatter:
https://www.afternic.com/forsale/johnsmith.com
Please don't let the facts get in the way of an argument from principle.
Domains are the ultimate identity system for building a more trustworthy internet without handing over control to some kind of verified ID scheme or being forced into publishing your personal details to gain credibility.
You can build reputation and trust using a handle, even if it's not associated with your real world identity. For example, I know that if 'ryao' replies to a question about ZFS, the response can be considered trustworthy. I don't know who that is or even what country they live in, but I know they're a contributor that isn't speculating or guessing when they reply and that's all that matters to me.
Domains can be used as verifiable, globally unique handles which simplifies things for the average user because it makes it easier to help users avoid impersonation and confusion if you can point them to something simple and verifiable. For example, look at Bluesky [1].
I've been wanting domain based namespaces and handles for a solid 5 years because it just makes sense. Here's my oldest mention of it (asking why package managers don't use domain verified namespacing) I have on HN [2]:
> It seems like a waste to me when I'm required to register a new identity for every package manager when I already have a globally unique, extremely valuable (to me), highly brandable identity that costs $8 / year to maintain.
You can tell it's old because .com domains only costed $8 back then. IMHO, domain based handles are the #1 reason to use Bluesky over X/Twitter. People used to spend $10-15k buying "noteworthiness" via fake articles, etc. to get verified on Twitter. I can't find any links because search results are saturated with talk of X wanting $1000 per month for organization validation (aka a gold check mark). Domain validation is just as good as that kind of organization validation, at least for well known individuals and organizations.
Given that, I think there would be a bigger market for domains if domain validated identities catch on. It could even spawn specialty gTLDs that do extra identity or notoriety checks (if that's allowed) or maybe attestations would become a big thing if there were an easy way to do them against a domain verified handle.
1. https://bsky.social/about/blog/3-6-2023-domain-names-as-hand...
2. https://news.ycombinator.com/item?id=24674882
I would actually think that consumers (of domains) benefit more than the registrars, because there is more competition. If I want a specific word as a domain, there are multiple options of TLD for me.
DNS should be a destination, not a utility. Every John Smith has a legitimate claim on smith.com.
DNS should offer disambiguation services. Instead, we have this awful system.
My dream is to fork a browser and replace the DNS component with an entirely new protocol that respects the notion that people in the real world share names.
Petnames?
https://files.spritely.institute/papers/petnames.html
have you gone through the process of naming and securing domains for startups over and over again because let me tell you, it's brutal. the more TLDs, the better.
I love https://frame.work/ though
It's open season on suckers.
With a new crypto-friendly administration coming in, it's going to get much worse. If you haven't been following this, there's a whole industry pushing "meme coins" via pump and dump operations. Some even admit they are pump and dump operations.
A friend of our family almost got scammed from a .top domain. They convinced her she needed 'tech support' and transferred $30,000 from her savings to checking and tried to get her to go to the bank to get more money. She got suspicious and got new bank accounts and thankfully didn't get any actual money stolen.
She's retired and it could have ruined her financially. I don't think she realizes how close she was to this.
The software they used bypassed windows defender because it was legitimate software called 'screen connect'. I was able to remove it pretty easily. It looked like a reverse-shell attached to a windows service (small .exe with no front-end).
Cyberfraud is infuriating when we know the victim, and depressing when you look how ripe the target space is, but the TLD is neither the most interesting thing about the crime nor what’s to blame, right?
There’s a lot of trust in a namespace system that doesn’t deserve it, although odds are you personally can use it to be immune to scams. What do we do for everyone else?
When I used to run my own email, .top and .xyz received an automatic -10 on spam evaluation. I can't remember a single legitimate website that I actually used and would have had an account on from these TLDs; all I ever saw was spam.
I see a lot of personal blogs that use .xyz here on HN.
I use .XYZ because it was pretty cheap when I bought it
I use .xyz because I have a very common first and last name, and nearly all of the permutations of them were taken on .net, .com, .org, and .us; .xyz seems to price based on how desirable they think the name is, so I still couldn't get $FIRST-$LAST.xyz for a reasonable price, but I got something close.
I do too, aesthetically it's great. Unfortunately the rise in phishing from xyz domains means if you use it to send email your deliverability is likely to suck.
I thought the same, out of the 5 domains listed, I'm not sure I have used any legitimate website using them, so I might as well block them entirely
I hope this sentiment isn't too widespread... I use .xyz for my personal blog and primary email :shrug:
Similar for my self hosted email, though I just reject in postfix for about 30 of the cheap/meme tld's.
Domain names becoming cheaper (and having greater variety) is a good thing. Yes that comes with an equivalent rise in scam domains, but the answer isn't to add further barriers to entry for everyone else.
If you see a phishing link, you can perform a DNS A record request to find their IPs, typically behind Cloudflare. You can report them to Cloudflare. Their WHOIS record will tell you who their registrar is, and again you can report them there too. If they use URL shorteners, you can report those.
domain names are like real estate in a poorly-planned city.
the city centre is overcrowded and super-expensive, while the new neighbourhoods in the suburbs are a mixed bag.
while some become instant hits and sometimes cost more than inside the city (like .ai lately), while you got these tlds that only bring pain.
not to forget you are always leasing, and own nothing in the end.
As much as some gTLDs are known for spam, it's dangerous to generalize certain domains as spam. I used to run a website with a somewhat niche gTLD and it was a headache getting blocked by spam filters who just blocked *.mygTLD
I use a .xyz for my personal domain (I could get my real name as the domain, and it was cheap). I use FastMail for email. Deliverability has been fine, with one exception - Radisson Red hotels. I’ve had two occasions in the last year when I’ve needed to email different Radisson Red properties, and both silently dropped emails from .xyz domains.
I've been blocking .shop, .top, .xyz, and several other new TLDs but only specific TLDs where we see high (or all) spam. For our org, this means I also block .in and .jp in SMTP, as those are almost exclusively spam for us too.
Which makes them particularly useless for a legitimate business since it’s likely they’ll be blocked, and begs the question of if they really have any purpose at all.
My primary catch-all email domain for accounts is at a silly TLD (.rodeo).
My biggest complaint is that some large retailers/services completely refuse to believe it is a valid domain. (I'm looking at you, Walgreens. You blocked me during a pandemic from signing up for a vaccine with my actual email address, which is why fuckwalgreens@myother.domain is now my email in your system.)
I’d guess it was their first rodeo.
Dunno why he had to single out those 3 TLDs in his title. Doesn't really matter that they're the most registered, there's soooo many TLDs now and all equally susceptible to phishing use because users aren't looking closely enough (nor should they really? nobody even knows what a browser is vs 'the internet') or there's no way for anyone to know what's official etc. We needed more TLDs in general, this is just a side effect of the scale.
The problem is not new TLDs, the real problem with phishings in 2024 is that the free Cloudflare layer allows phishers to be protected from automatic phishing detection tools like the ones I develop at my current job.
They also don't offer any programs for trusted third parties so we have to spend a lot of time bypassing and paying for services that skip Cloudflare instead of taking down phishing sites.
it seems like if this is a problem, then the whole domain system is a problem.
there's nothing that makes .top or .xyz more problematic than .net or .org. if the assertion is that it's too confusing for people to pay attention to all the parts of a domain name, then why do domain names continue to have multiple parts? let's just deprecate everything other than .com and be done with it.
I remember once I saw a blog post how a companies internal emails were getting blocked because they were on .xyz and got fixed by moving to a .com.
After that I decided to only get .xyz domains for internal usage like infra domains or for internal self hosted apps.
The correct way to identify the entity in the address bar is to display the O= (and country, if it differs from the requester) from the X.509 certificate.
URLs following a pattern is not a good way to authenticate a site.
For millions of sites, including this one, that would just show "Let's Encrypt, US".
And that’s the problem. I know I’m talking to “someone who has convinced Let’s Encrypt, US that they are foobar.com”. I have no idea if I’m actually talking to Foobar, Inc. (incorporated in Delaware, US).
There is a standard, reliable register of business entities (typically called “Secretary of State”) and it should be trivial to know if the domain I’m talking to is owned by/part of that entity, that the X.509 matches, and so forth.
That is an EV certificate. They are no longer common.
https://en.wikipedia.org/wiki/Extended_Validation_Certificat...
>xyz >new >doesn't mention .zip Krebsisters, it's so over
I’ve got a somewhat questionable tld for my main email address (really nice short one)
So far zero issue - somewhat to my surprise (was expecting delivery issues). Even got some compliments from people that thought it’s great
Once I found I couldn’t iMessage a .xyz link I decided to stay away…
This would have me staying away from iMessage. What other content is Big Brother not transmitting for my "protection?"
This is actually why I moved off of Facebook Messenger. It started blocking random links I tried to send so I moved to something E2E encrypted.
Facebook Messenger is E2E encrypted now (though obviously that's not going to prevent the developer from blocking links unless the client is also open source).
Given that .zip is now a TLD, I completely support not automatically linkifying things that might be links.
(If you used "https" and made it a full URL, that's different.)
it didn't send, or it didn't linkify?
Right, didn’t send.
In the similar note, would be nice to see a number how many of .net and .com domains are squatted?
To someone used to seeing the cyrillic alphabet, .top reads ”tor”.
gTLDs also have cost risks like when .tech was taken over by a holding company and then 3x the registration price. Who knows about next year and the year after that.
If you run a business you can buy the domain for 10 years, right?
Honestly the only "legitimate" use for these TLDs seem to be fediverse/bsky vanity URLs.
Everything outside that just looks like a scam, even if it isn't.
On the contrary, when I'm given a fediverse or bsky vanity URL I'm inherently suspicious of the domain; and when I go there and see that absolutely nothing of consequence renders without Javascript, I am very much disinclined to whitelist anything, even if the page claims that it's just running a Mastodon instance or whatever. ("A likely story", you know.)
if someone gives me a fedi url I'm almost certainly going to read it on my instance so it doesn't have any stupid CSS so imo you really don't need to be whitelisting anything
Interesting! Now that you mention it, I did buy a .luxury domain for this purpose - a Gemini server. I also bought a .ski to have a domain with my (polish) last name.
It's great to be able to get silly domains for projects, back to the old days of IRC vanity hosts, but can you imagine seeing a link to something like jackets.luxury and going "yeah that seems legit, I'm definitely giving them my card details"
The first English result on Google for a .luxury site is this: https://leon.luxury/
It looks legitimate, and it's probably enabled Leon to use their business name in the domain.
The first American site is https://roughwood.luxury/, it also looks fine.
Yes that is completely normal and the my younger relatives would not even think twice.
In the TikTok and Instagram community people are spending billions not only on random domains (like tiedyeshirts.xyz) but often to venmo or zelle listed on profiles. My sister and thousands like her send money to faceless profiles to buy mystery boxes.
By that logic, would you pull out your credit card if you got linked jacketsluxury.com? .luxury is about twice as expensive as .com so I'm more suspicious of .com sites than of vanity TLDs.
I think there's a generational divide here, the older people seem to distrust more recent TLDs for some reason while younger people don't really care about them.
Nice thing about IRC is that you could do it for free so long as you controlled your PTR record.
jacketsluxury.com - probably not, luxuryjackets.com would definitely look a bit more trustworthy
But then I remember it's just a pointer to 19.124.217.99 and I have no idea if it's legit or not, just like all the .coms.
on the other hand, new TLDs make ICANN a lot of money, and isn't that the important thing?
> John Levine is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.
Holy shit. CAUCE is a name I haven't heard in a long time. He's been around for a while and is one of the good ones.