
GoDaddy injecting JavaScript into websites and how to stop it - ikromin
https://www.igorkromin.net/index.php/2019/01/13/godaddy-is-sneakily-injecting-javascript-into-your-website-and-how-to-stop-it/
======
thaumaturgy
In case this turned out to be misleading, I picked a random GoDaddy-hosted
low-cost site (hometailer.com) and yep, there's the code:

<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'===
typeof _trfd &&
(window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpbh'},{'server':'a2plvcpnl83247'})
// Monitoring performance to make your website faster. If you want to opt-out,
please contact web hosting support.</script><script
src='[https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></sc...](https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script>)

That's pretty gross.

~~~
christophilus
GoDaddy is the Oracle of web hosting companies. I don’t understand their
popularity, yet it seems to be going strong. Why is that? (Serious question,
not rhetorical.)

~~~
swebs
Advertising. I remember seeing tons of not-quite-porn ads from them even
during superbowls.

~~~
collinmanderson
They stopped those fall 2013.

~~~
foob
That's quite specific. Do you know what the impetus for them to stop was?

~~~
praneshp
New CEO (Blake Irving)

~~~
cipherzero
He did a Reddit AMA after starting:
[https://www.reddit.com/r/IAmA/comments/23v7f3/hi_im_blake_ir...](https://www.reddit.com/r/IAmA/comments/23v7f3/hi_im_blake_irving_i_am_the_ceo_of_godaddy_ask_me/)

I remember it being surprisingly good!

------
guessmyname
This is quite ironic because I used to work in the security team at GoDaddy,
writing tools to scan and clean websites infected with malicious code injected
the same way. To find out that the company is using the same technique _(for
something less malicious?)_ is very surprising to me. I guess they never asked
for a review of this feature to the security team, otherwise I doubt they
would have approved it.

~~~
bpchaps
Is this common in web hosting? I'd be pretty livid if my web host was
modifying traffic, regardless of the intent.

~~~
joecool1029
It's not unheard of. Some platforms offer New Relic RUM integration which
breaks shit (like XML sitemaps).

I am guessing the hosting provider gets access to the information the client
also gets, but that's just a guess without any evidence. It would just make
sense in the absence of regulation.

------
zimbatm
> how to stop it

When faced with egregious business practices the best option is to switch
company. What guarantees do we have that GoDaddy won't toggle the switch back
at some point, or introduce other trackers?

There are plenty of website hosting solutions out there. While at it, switch
your domain registrar to a reputable one like
[https://www.gandi.net/](https://www.gandi.net/)

~~~
hellofunk
Gandi might be great for common domain suffixes, but their support for
country-specific domains is poor, they just don't offer that many. If you're
not in the U.S. it can be frustrating.

~~~
techaddict009
Name.com is good in that case.

------
ATsch
I think it's pretty unfortunate that even now, CSPs are getting so little love
in the comments of a post where they would have easily prevented this script
from loaded at all, and could have helped the author discover the script the
second it was added.

For the unitiated, Content Security Policies (CSP) allow you to, among other
things, define a whitelist of origins for things like scripts, css etc. and
also notify you of violations. There is little excuse to not set a strong CSP
on your sites if you can and you'll be glad you have it once something does
happen.

~~~
Semaphor
> There is little excuse to not set a strong CSP on your sites

true, but

> if you can

IIRC that excludes every website with Google Adsense and even just using a
manual ad network includes always fiddling with your CSP.

~~~
dcbadacd
> There is little excuse to not set a strong CSP on your sites

Can't use CSP if you want any ads on your page usually. If anyone here knows
an ad provider that plays nice with CSP and pays okay then please do let me
know, I'd love to securely monetize a few webapps of mine.

------
pdkl95
The document ($PAGE + $NEW_JS_SCRIPT) is a new, different work. I doubt the
added Javascript is a large enough change to be considered "transformative"
and worthy of a separate copyright. The new work isn't a fair use of the
original work, because it doesn't meet the statutory requirements[1]: 1) isn't
a protected use (education, journalism, criticism, etc), 2) the original work
is usually creative and (patently) published, and 3) the entire original work
was included. Since the Javascript was added without without consent (or even
any notification), we can assume GoDaddy hasn't negotiated with the original
authors for a license to made derivative works.

Therefor this is probably a violation of copyright. Does anybody using GoDaddy
for hosting want to sue GoDaddy? Statutory damages up[2] to $150,000 per work
adds up fast.

[1]
[https://www.law.cornell.edu/uscode/text/17/107](https://www.law.cornell.edu/uscode/text/17/107)

[2] actual damage amount in copyright cases varies a _lot_ \- this is simply
an upper limit

~~~
naniwaduni
Sadly, I think they have their ass covered in their TOS, under "User Content
Other Than User Submissions": "You hereby grant GoDaddy a worldwide, non-
exclusive, royalty-free, sublicensable (through multiple tiers), and
transferable license to use, reproduce, distribute, prepare derivative works
of, combine with other works, display, and perform your User Content in
connection with this Site, the Services and GoDaddy’s (and GoDaddy’s
affiliates’) business(es), including without limitation for promoting and
redistributing all or part of this Site in any media formats and through any
media channels without restrictions of any kind and without payment or other
consideration of any kind, or permission or notification, to you or any third
party."

I'll admit I didn't look that closely though.

------
DonHopkins
Why are you using godaddy in the first place? It's not like they aren't
universally reviled for many good reasons. You deserve what you get for not
educating yourself about what a terrible company they are and voting with your
feet.

You might as well be complaining that you're surprised Larry Ellison isn't
looking out for your best interests, David Miscavige tried to brainwash you,
Donald Trump didn't tell you the truth, and Rick James ground his muddy cowboy
boots all over your suede couch.

[https://www.youtube.com/watch?v=ddIz-
ydl6Yk](https://www.youtube.com/watch?v=ddIz-ydl6Yk)

~~~
wpietri
I don't think victims ever "deserve what they get". Yes, he's responsible for
the outcome. But outfits like GoDaddy exist because they're good enough at
advertising and PR to fool the novice. People can't be experts in everything.

Blame should stick to the bad actor, not the people they sucker.

~~~
JohnFen
> People can't be experts in everything.

But you don't have to be an expert to conduct a web search.

> Blame should stick to the bad actor, not the people they sucker.

I mostly agree with this, but I have a hard time not placing just a little
blame on the people who don't engage in even the bare minimum of research.

~~~
DonHopkins
>But you don't have to be an expert to conduct a web search.

And if you don't know how to conduct a web search, you shouldn't be building a
web site.

>... placing just a little blame on the people who don't engage in even the
bare minimum of research

And GoDaddy's uncritical customers tend to be the kind of people who are
easily influenced instead of permanently repelled by the kind of commercials
GoDaddy is infamous for running.

[https://www.youtube.com/watch?v=ri47wy0scmk](https://www.youtube.com/watch?v=ri47wy0scmk)

[https://www.youtube.com/watch?v=B0cu7kRcQcs](https://www.youtube.com/watch?v=B0cu7kRcQcs)

------
userbinator
_Yet all my pages were being served with the following <script> injected into
them just before the closing </html> tag..._

The free hosts I used many years ago would do something similar, with no way
to opt out --- that is, until I figured out they were just detecting the
'</html>' and inserting before it.

Combine that knowledge with the fact that the closing tag of the HTML element
is optional, and you can guess what I did pretty easily. ;-)

~~~
pmtarantino
I remember those times. They were beautiful. I could spent hours trying to
search for the best free webhosting that includes PHP, MySQL and Phpmyadmin,
and didnt fill my website with popups or banners at the top/bottom of the
webpage.

~~~
davidcorbin
The good ol days :)

------
ChuckMcM
pretty much pure evil. But hey its GoDaddy right?

There are at least three places where you can get injected, one is from the
ISP (including phone company networks), one is from the hosting provider, and
one is from add-ons in the browser.

One of the first Java applets I wrote (and you could easily do this in js) did
a hash over the document page and reported if the hash didn't match the one
stored in the applet. These days you could throw up an other wise invisible
div that said "Page Tampered" please report to webmaster (or you could even do
that yourself with a lookup on your hosted side to a script that would log
IP/browser etc.

~~~
markdown
> There are at least three places where you can get injected, one is from the
> ISP

I'm not sure if they still do it, but Vodafone in my country (and many others)
used to cache and compress photos on all websites, which often led to visible
degradation in image quality. Luckily I discovered that their software
respected the `Cache-Control: no-transform` header so include that header on
all my websites now.

~~~
int0x80
Vodafone did also inject custom js/html in non HTTPS pages (obviously). This
was 2 years ago.

~~~
markdown
That's right. The js rewrote all image src attributes to point to the
"optimised" photos they'd cached.

------
KrishnaGD
Hey everyone, Krishna here, I’m on the hosting team here at GoDaddy. There are
some excellent points in this thread. I wanted to give a little bit of
background about GoDaddy’s use of Real User Metrics (RUM) and our plan
regarding its use moving forward.

A little more than a year ago, we created a RUM javascript for our customers.
The javascript is extremely lightweight and evaluates hosting performance
only. We did this to create a better hosting environment for our customers. We
rolled this out to a small subset of customers.

As the RUM proved very beneficial in optimizing our hosting platform for our
customers, we decided to roll it out to a wider audience. That said, we
clearly could have better communicated this program.

Based on all the feedback, we have decided to turn off the RUM javascript
immediately and focus on designing the program so that customer participation
is on an opt-in only basis. While the RUM data is beneficial in helping us
improve our customers’ website performance, we regret that the implementation
has upset many of our customers and we apologize for any inconvenience this
has caused.

Narasimha Krishnakumar VP of Product Management - Hosting GoDaddy

~~~
Calib3r
If there is a chance this would break someone's website, why would you default
this feature to being on?

Please Daddy, don't be so rough.

~~~
KrishnaGD
We are not perfect and should have thought through this more. We created the
script to be as non-intrusive and lightweight as possible. The number of
incidents we saw were so minimal, we kept moving. We’ve obviously learned a
lot from this and it will be 100% opt-in when we reintroduce it later.

------
namuol
How to stop it: Use a different hosting service.

~~~
mark-r
I thought that would be good enough, I went with WebFaction. But it seems they
recently merged with GoDaddy, so even though I explicitly avoided them it
turned out I didn't.

Who's a good alternative these days?

~~~
ahmedalsudani
Hover, Gandi, Namecheap, AWS, Google, Cloudflare.

There are many decent alternatives. From the above, I have used all but Google
and Cloudflare. My experience has been pleasant with all that I have used.

~~~
tracker1
I've been _very_ happy with Google's registrar service... the only down side
is you cannot bulk edit contacts. The couple times I've needed support they've
been available within a couple minutes (once by phone, twice in browser chat).
Not like any other Google support issue. Some prices are a little more than
GoDaddy, others a little less, that part was pretty much a wash.

The biggest advantage over Google's registrar service, is there's no upsell,
at least not that I noticed. They do offer some integrated service options.
The included google dns hosting and mail forwarding services are great imho.
It could use some slight improvements in UI/UX, but still better than any
other registrar I've tried by a large margin.

Mileage may vary, of course, but I really do like the service overall. I'm not
affiliated with Google, don't always like everything they do, and do have some
reservations about them as a company. That said, imho the best registrar
option available.

------
austincheney
This has convinced me to take precautions. I am adding some logic to my site
that if there are more than two script tags (I only have 2) replace body
content with error text and send an xhr notification back to the server so
that the server will know their pages are compromised

It’s as simple as document.getElementsByTagName(“script”).length

EDIT:

Here is my tested more sane approach:
[https://gist.github.com/prettydiff/f9f85fffb00a903ecd3f2cfe0...](https://gist.github.com/prettydiff/f9f85fffb00a903ecd3f2cfe0c276d62)

I do not have an xhr notification in place in the gist, because I have not
written a service to receive it yet.

~~~
ATsch
You could do this much easier and better with a Content-Security-Policy.
Whitelist the things you want to allow, and set a report-uri to get notified
of any CSP violations.

~~~
austincheney
CSP wont help you if you authorize scripts with a source of self or if the
malicious script contains a relative "src" attribute.

This approach has the added benefit of letting you know that malicious things
are happening.

~~~
lozenge
CSP has report options.

------
technion
I have created a gist with "beautified" version of the script the inject.

[https://gist.github.com/technion/5de5739ee803ed0641b2de81660...](https://gist.github.com/technion/5de5739ee803ed0641b2de816600f3c1)

------
giancarlostoro
I remember when I first bought a domain from them. I guess I fell for the
marketing witchcraft, they advertised the domain for a lower price than what I
ultimately paid, once I heard about Namecheap I went there and never looked
back. My other problem was that their domain management interface was soooo
slooooow, it got to me. This was in about 2008, but I rather not fall for
their overpriced domains.

Edit: My other pet peeve was that they supported SOPA when that whole mess was
ongoing. I can't trust them at all since.

~~~
joering2
You shouldn't trust Namecheap either. Just because nothing happened to your
domain, doesn't mean when it does Namecheap will help. I had numerous issues
over the years including someone being real jerk over their chat and just
because of their rudeness and knowing my email and full name, was able to took
over my account.

Namecheap is not cheapest neither (Namesilo)

[https://www.trustpilot.com/review/www.namecheap.com](https://www.trustpilot.com/review/www.namecheap.com)

~~~
Ayesh
A happy NameSilo user and a former NameCheap user here. NameSilo is awesome!

Their UI will remind you of 2012 but it's functional and has all features
you'd expect to be there.

~~~
naniwaduni
A website that hasn't been gratuitously since 2010 is almost a positive sign
for a registrar, especially if you only want them to shuffle around paperwork
and not managing day-to-day technical aspects of the domain.

------
ilaksh
Since people are recommending alternatives, take a look at Netlify. It's my
new favorite thing.

For me GoDaddy is like a client test. If they are using something else for
hosting, plus one point to them. If they use GoDaddy for hosting, minus ten
points. If you can't convince them to move away from GoDaddy, you probably
want to replace that client if possible with a more reasonable or less
cheapskate one.

Also I believe that https would prevent injections.

~~~
dpacmittal
Netlify is a static site hosting, it's more like Github pages than godaddy
hosting.

------
walrus01
Nobody should ever use godaddy for a domain registrar or hosting services.
Ever inherited a domain that was with them, and had to renew it? The sheer
amount of unsolicited add-on offers you have to reject before successfully
completing a payment for domain renewal is ridiculous.

There's a reason why companies like namecheap which market themselves on "no
bullshit" registrar services are popular these days.

~~~
notyourwork
Namecheap has been great, I've also had good luck with Gandi.

------
toyg
Sigh. It’s crap like this that will eventually force me to leave WebFaction
(that GoDaddy acquired), after a decade of excellent service. I never touched
GoDaddy, but it looks like the plague comes to you these days.

~~~
kpozin
I'm in the same boat. Have you found any decent replacement for WebFaction?

~~~
toyg
Not really - the market has moved on to PaaS, a reliable shared-hosting-cum-
shell with a Python slant is not easy to come by.

I’ll probably go with an OpenBSD vps somewhere, praying not to get hacked,
plus Heroku for when I really can’t be arsed to look after a service. Quite a
pain in the ass, though. At least my domains are already on Gandi...

------
J253
Gandi is my go to alternative.

[https://www.gandi.net/en](https://www.gandi.net/en)

~~~
EduardoBautista
Mine as well. Only major registrar with U2F. They seem to take security very
seriously.

~~~
Niten
I've had good luck with Gandi in the past for SSL certificates, and their U2F
support makes me inclined to choose them as my new registrar.

On the other hand, I've heard less than great things about Gandi's reliability
and support lately. If you've had to contact their support team, what's your
experience been like?

~~~
EduardoBautista
I've never had to contact support, which might be a good thing. Although I did
leave them for a while and am in the process of moving my domains to them.

------
hilyen
The JS file creates cookies, which would break GDPR I am guessing.

~~~
paulie_a
While this seems pretty terrible in general. The GDPR is generally irrelevant.
A large amount of websites will never need to even think about GDPR. If
anything there is an over reaction complying to a law that will never be
applicable.

GDPR matters to the EU. It doesn't apply elsewhere.

~~~
jobigoud
It matters to EU citizens. We are everywhere.

~~~
markonen
I'm sure it _matters_ to you, but as a rule it doesn't _apply_ to you if you
reside outside the EEA.

It applies to "an enterprise established in the EEA or—regardless of its
location and the data subjects' citizenship—that is processing the personal
information of _data subjects inside the EEA_ " (emphasis mine, text from
Wikipedia)

~~~
pmontra
This is the actual text of Article 3 of the Directive. Check point 2. It
applies to (for example) an e-commerce in the USA if selling to somebody in
the EU or to a USA company doing behavioral tracking if tracking somebody in
the EU. In both cases, even if they are not EU citizens. Only the location
matters.

Territorial scope

1\. This Regulation applies to the processing of personal data in the context
of the activities of an establishment of a controller or a processor in the
Union, regardless of whether the processing takes place in the Union or not.

2\. This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not established in
the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of
the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place
within the Union.

3\. This Regulation applies to the processing of personal data by a controller
not established in the Union, but in a place where Member State law applies by
virtue of public international law.

~~~
beefhash
Sure, they're trying to broaden the scope as far as they can. But is it
_enforceable_ outside the EEA? I'd love to see a U.S. court do anything but
throw out a GDPR case or a European court's ruling based on the GDPR.

~~~
DanBC
Why do you think the EU would use US courts to enforce EU law?

The EU would use EU courts to enforce EU law. This might mean that non-
compliant websites are blocked, via court orders to ISPS, in the EU.

This already happens with some piracy sites. The blocking is inconsistant and
easily circimvented.

------
willio58
All interactions I’ve had with godaddy have been terrible.

------
boramalper
> _…and how to stop it_

by not using GoDaddy.

I mean sure, it’s fixable, but this shouldn’t be a norm (for a paid service)!

------
djsumdog
I'm guessing this is some shared hosting solution where you don't have a lot
of control or ability to add things like LetsEncrypt (but I'm sure GoDaddy
will sell you their SSL offerings).

I noticed some of my sites getting Vodaphone banners when using Ireland/UK sim
cards and realize they were injecting crap into my site. That really helped me
make the push to use LetsEncrypt on everything.

I realize that 3rd party Wi-Fi/ISPs injecting code is a slightly different
issue that the one in the article, but the solution is running SSL everywhere.
If you need to login to a captive portal that redirects, there's always
neverssl.com

~~~
benjaminjackman
> If you need to login to a captive portal that redirects, there's always
> neverssl.com

There's also:

[http://http.rip](http://http.rip)

(which is easier at least for me to remember for some reason)

~~~
roywiggins
example.com responds on http, and since it's reserved by IANA I more or less
trust it to not serve malware, so I always just use that.

------
dizzyfingers
I’ve followed HN for around 10 years now but even basic stuff like this can
come across as jazz to me. Funny thing is I understand jazz at a professional
level. I feel foolish because I use godaddy, because they have good customer
service and their interface is easy to understand but as a HN lurker I want to
have good web etiquette. I’m going to see about turning this feature off in
the way the author describes but what can I do to stay clear of the Kenny Gs
of tech? Full disclaimer I have nothing against Kenny G, and even respect him,
just one of those jazz expressions...

~~~
Jedi72
Companies that do this kind of garbage don't deserve your dollars. Its not
enough to apologise after the fact, or offer opt-out, or any other half
measures. I'm moving my domains over to someone else this week because of
this.

------
Hoasi
Not surprising given GoDaddy's long history of malpractice and terrible
behavior.

"Oh, but we've changed" they said... Glad I ran away from anything they
touched since they acquired Media Temple.

------
quickthrower2
GoDaddy: the SourceForge of web hosting.

~~~
tracker1
^^^ This is a very appropriate analogy.

------
obelos
Who ever thought a registrar would be more awful than circa-1999 NetSol?

------
adanto6840
Apparently my ISP (Cox) injects stuff as well? I've never seen this message
before, but just now stumbled on it for the first time -- have been with them
for 5+ years now, first time I've seen this message though.

[https://imgur.com/a/f4BLf3h](https://imgur.com/a/f4BLf3h)

Aside from the cap topic, it's outrageous to me that they find it OK to
alter/inject into HTTP responses like this. Send me an email, sure -- but to
alter responses?!

~~~
tracker1
This is an issue with many, especially mobile, carriers... the key is to use
HTTPS everywhere, and send issues/requests to sites not HTTPS to switch. Let's
Encrypt removes the last reason why a site shouldn't be all HTTPS.

Note: fixing redirect rules for logins on some sites is a significant PITA,
but should be adjusted accordingly by now anyway.

------
Too
Enabling HTTPS only should stop this right?

Or are they able to inject it even then since they are the hosting provider?

~~~
tuxone
No and yes.

~~~
m-ueberall
Are you sure they have full access to your TLS certificates? Or can't you
bring your own in this case?

~~~
tuxone
They host the website thus they can inject anything anywhere in the body
before https kicks in.

------
dguo
I see a lot of mentions of Namecheap in these comments, but I recently
discovered another option on tld-list[1]: Porkbun[2]. I don't need much out of
a registrar, so price is the main consideration, and Porkbun's renewal prices
are significantly cheaper ($8.70 for a .com, versus $13.16 on Namecheap).

I would consider using Cloudflare's new at-cost registrar service[3] for
everything, but they don't allow you to use non-Cloudflare nameservers.

I've also experienced strange issues with logging in to Namecheap. From what I
remember, I kept getting a server error message. Sometimes it happened after
submitting my password, and sometimes it happened after submitting my 2FA
code. Customer support couldn't help, and the issue went away the next day.

[1]: [https://tld-list.com](https://tld-list.com)

[2]: [https://porkbun.com](https://porkbun.com)

[3]:
[https://www.cloudflare.com/products/registrar/](https://www.cloudflare.com/products/registrar/)

------
Crontab
It is kind of sad how every single web-based technology is turned against us.
I shudder to think what they will be able to do with Web Assembly.

------
throwaway8879
The best way to stop it is to stop using GoDaddy. About 10 years ago.

------
ssttoo
How is this company still in business is beyond me. Maybe their clients are
less savvy (non-HN-frequenting) site owners

~~~
roywiggins
I think that's exactly their target market.

------
heipei
I originally built a service to detect exactly this kind of large-scale
injection of content and similar occurrences (e.g. library prevalence etc).
This is a perfect example of how to find the GoDaddy injected content:
[https://urlscan.io/search/#%22tcc_l.combined.1.0.6.min.js%22](https://urlscan.io/search/#%22tcc_l.combined.1.0.6.min.js%22)

Another provider I found doing something similar is 000WebHost:
[https://urlscan.io/search/#filename%3A000webhost](https://urlscan.io/search/#filename%3A000webhost)
They "just" inject a footer with an image and a link to their service though.
Not sure how common this is in the low-cost hosting space.

~~~
ndnxhs
000webhost also had their database leaked with plain text passwords.

------
hilyen
GoDaddy has always been horrible.

------
lkdjjdjjjdskjd
Switching away from GoDaddy seems like a better approach.

On a related note, last I tried Cloudflare (a couple of years ago) they also
injected JavaScript into my site. The JavaScript was larger than my site.

------
throwaway321388
This is nothing. India's state-owned ISP BSNL routinely injects js tracking
and ads into HTTP pages.

[https://www.reddit.com/r/india/comments/8wj6ec/bsnl_and_mtnl...](https://www.reddit.com/r/india/comments/8wj6ec/bsnl_and_mtnl_are_injecting_malicious_ads_on/)

It's not surprising that this PSU like every other in India is being destroyed
from the inside, and is well on its way into the mouths of the private vulture
funds.

------
ddtaylor
> "Monitoring performance"

I can't think of anything related to performance of the server that can/should
be monitored using a client-side script versus a server-side component.

------
oneepic
I read the code gist that someone else posted earlier...can someone explain to
me exactly why this is gross in the first place?

I can easily imagine a scenario where someone innocently added this code with
good intentions (i.e. purely for performance data that sites can use) as
opposed to being evil. It may be the case that there wasn't enough internal
review of the code in question, and that's all. Also you have the ability to
opt out...

------
linkmotif
Serious question, why do people use GoDaddy? What does it have to offer in
terms of price/features/anything that’s better than any other provider?

~~~
miguelmota
GoDaddy has crazy marketing and dominate search results in that regard.

They bait and switch their customers into buying a really cheap domain for the
first year and then rake up the price for subsequent years.

It's annoying for businesses to switch everything over to a new provider,
especially not so technical people that don't want downtime, so they eat the
cost.

GoDaddy alternatives which aren't shady are:

Namecheap

iwantmyname

AWS Route53 Domains

Google Domains (wouldn't be surprised if they kill this service though)

~~~
aaronds
+1 for iwantmyname - such a simple service - does exactly what I want without
any fuss

~~~
stephenhuey
Yes, I moved some stuff from Hover to iwantmyname because they don’t abstract
anything important and there’s no clutter. Hover isn’t bad, but I was looking
for something even more geek-appealing!

------
ojosilva
I've switched to name.com a while back due to decent pricing and an easy to
use rest api to change some of my subdomains ip address dynamically.

Has any one encountered sleezy practices like GoDaddy with name.com? I take my
domain registrars reliability and business practices very seriously!

------
MrMorden
Pair Domains takes my money and provides me exactly what they advertise. The
only issue I've had is that their DNS service doesn't have all the record
types I want, so I use CloudFlare for that.

------
sonnyblarney
Anyone care to explain, line by line, what that JS actually does?

~~~
technion
It's going to take some time to break it down line by line because it's
minified and reads like garbage.

But look at line #230. You're basically seeing a list of information it
gathers, and everything above helps populate that information.

Then everything below posts it off to their server.

------
ykevinator
Injecting is misleading, why don't people just use Amazon, is it just too much
work or is shared hosting that much cheaper including cost of maintenance?

~~~
dylan604
Shared hosting is typically a set amount per month. AWS is a mystery on
pricing.

------
robin_reala
I use a CSP on my site to work around potential JS injections: _script-src
'none'_. Possibly a little heavy handed but it does the job.

------
ve55
GoDaddy has always been one of the worst providers or registrars someone can
use. I wish I was surprised by a practice this bad.

------
JohnFen
Wow. This is completely over the line and unacceptable.

It appears that GoDaddy's reputation for being dodgy is well-earned.

------
zaro
> Luckily there is a way to turn this off Luckily I am not using GoDaddy and
> most probably never will.

------
tyingq
Since it appears to be opt-out and hidden, this seems like it might be in
violation of CFAA.

------
EastSmith
Spend half a day moving all my domains out of godaddy to cloudflare. Never
felt better.

------
dzek69
It reminds me times of 5MB free web hosting from 2000 or so. A lot of them was
doing it.

------
demarq
probably should be a ask hn, but in 2019 isn't there a ready to go docker
image or something that allows you to be your own webhost. Isn't it weird that
we still pay for someone to run an apache instance for us on the web?

~~~
Koffiepoeder
1) You need an ISP which allows this (opening ports 80 and 443), or that
allows hosting more generally.

2) It is probably not a good idea to have people manage webservers without in-
depth security and server knowledge.

3) You still have to arrange DNS-hosting.

4) Webhosting can be a lot of things, e.g. database hosting, http website
hosting, email hosting, etc...

5) When hosting your own website, traffic bursts might become a problem for
your own internet. Do you really want to open your own IP for DDoS attacks?

6) Probably external nameservers (e.g. cloudflare) would be a good idea (see
5).

7) By hosting your own server, you have a lot more legal liabilities.

There's a lot more to this than you would think on first sight. I outlined
just a few problems and issues above, but there's probably many more. Truth is
that it's probably not a good idea to host your own website if you're just a
small business, or hobbyist (unless you want to learn something).

~~~
demarq
okay, good points.

> You need an ISP which allows this (opening ports 80 and 443)

Anywhere on the internet that allows you to run a box allows you pretty much
any port you like. DO, Linode, Light Sail

> It is probably not a good idea to have people manage webservers without in-
> depth security and server knowledge.

Yes. But in my experiences most pwning happens due to application sec rather
than server sec. i.e wordpress/drupal instances that aren't updated regularly
and vulnerable plugins installed on the same. But I see your point, and I
think it applies to any DIY effort.

> database hosting, http website hosting, email hosting

Yeah, when you sign up to any host out there they give email, seo, and
logging. But I feel most clients would only really need database + app + email
services. And for email Gmail and Proton are really the only quality choices.
So you could get away with only offering database + app hosting.

> You still have to arrange DNS-hosting.

no, I think most domain registras will do this for you and offer a decent
interface around this. I use namecheap and they are just stellar!

> When hosting your own website, traffic bursts might become a problem

This is the same for most webhosts anyway. In fact the problem is worse for
webhosts. The cheapest box on Digital Ocean can easily outperform you run of
the mill webhosting package. The resources available to each app on shared
hosting is laughable for anything but you mom and pops local bakery or blog.

> Do you really want to open your own IP for DDoS attacks?

I don't think this is a problem you can get away from either way. You
eventually have to use a service like cloudflare as you mentioned for this;
webhosted or DIY.

> By hosting your own server, you have a lot more legal liabilities. I agree
> with you on this one.

~~~
detaro
> _Anywhere on the internet that allows you to run a box allows you pretty
> much any port you like. DO, Linode, Light Sail_

So instead of paying someone to run Apache for you, you pay someone to run the
box you run your Apache on? Why is that better if you just need Apache running
somewhere? I run my own stuff on a VPS too, but for people just wanting
hosting I'd generally recommend plain hosting from a trustworthy provider.

------
droithomme
This can cause massive unwanted legal liabilities to the customer under GDPR.

------
tr33house
went to Google domains a while back and never turning back. Waiting for my
domains with them to expire before turning them all over. GoDaddy runs its
business like they only want to do business once with you

------
oyebenny
How does someone stop their internet service provider from doing this?

~~~
ndnxhs
VPN/https

------
jppope
might be a good time to remind everyone that cloudflare is providing profit-
less domain renewals ;)

~~~
Jerry2
Cloudflare still lacks U2F. For domain names and hosting, this is something
that you should not compromise on.

~~~
user5994461
Cloudflare has had 2 factor authentication for years.

[https://support.cloudflare.com/hc/en-
us/articles/200167866-H...](https://support.cloudflare.com/hc/en-
us/articles/200167866-How-do-I-set-up-two-factor-authentication-)

~~~
Jerry2
Not U2F. App/SMS 2FA can be bypassed.

------
foobarbecue
I've used godaddy, namecheap, and 101domain. Godaddy was about ten million
times better than 101domain in terms of customer service. I'm kind of
surprised they would do something this malicious.

~~~
vortico
This article is about GoDaddy web hosting, not DNS.

~~~
foobarbecue
oops!

------
throwdaddy425
This is facepalm-worthy and very unsettling. This is why I use NameCheap.

------
zzo38computer
If someone is injecting JavaScript codes into your website and you do not
want, put your own JavaScript codes which cause it to display a message asking
the user to disable JavaScript if they want to access your webpage!

------
Brajeshwar
The best "How to stop it" would be to change registrars. Domain registrar is a
highly commoditized, extremely low margin, volume play business. There is
always another company better than the other.

Personally, I have a ResellerClub account that I 'sell' to myself and my
families. I also use name.com and namecheap.com for both my personal and my
companies domains. They all are good.

There is Google too, and CloudFlare entered the market.

Question: Even if one registers with GoDaddy, what if the DNS is at
CloudFlare, it won't have this problem, right?

~~~
lathiat
Doesn’t even matter where the DNS is. This is happening on the actual web
hosting server.

