Hacker News new | past | comments | ask | show | jobs | submit login

Is being cynical about this allowed?

Google throws down a few hundred grand to get the .app domain, in concert with modifying their web browser to deliberately mark others' traffic as "Insecure" (it is not necessarily!), and reaps the fees now and in perpetuity ever year thereafter for maintaining a simple database of DNS glue entries which you literally could maintain using MS Access (by which I mean, the database schema and maintainence is bog-simple).

How is the coming Chrome modification not "tying"? Anyone familiar with anti-trust laws care to comment?




.app was a tiny bit more expensive to acquire than that ... http://www.businessinsider.com/google-just-paid-25-million-t...

We're not expecting to make our money back on this one. And these amounts are a drop in bucket compared to many other Google products anyway.

So a cynical profit motive is not why we're doing it. We're doing it for the stated reasons, to move security forward on the Web; see https://security.googleblog.com/2017/09/broadening-hsts-to-s... and https://security.googleblog.com/2018/02/a-secure-web-is-here...

Also, I could talk your ear off about the design of our infrastructure for hours. Suffice it to say, it's a lot harder than you're making it out to be, particularly as regards to scaling. Our registry platform is open source, so feel free to inspect the code at https://nomulus.foo . And that's not even getting into DNS hosting, which involves a very large number of instances distributed around the entire globe.


Thanks for the correction about the price.

However, 10 years of 1 million domains, even if Google's cut is only $1 out of the registration price, is still $10 million per year * 10 years = $100 million.

If Google's own registry is used and you capture more of the ($17/year ?) domain fee, it goes up by multiples of that.

Correct me if I am wrong, but serving the DNS entries of .app will be almost the same as serving up a DNS entry for another domain like .com: the HSTS/https-only requirements will be set up in the browser, not the DNS server.

And serving DNS has been handled successfully and profitably by Namecheap/GoDaddy/Moniker et al for years.


Alphabet made $31B in revenue last quarter. [1] CydeWeys already addressed their costs, but $100M over 10 years doesn't exactly sound like something they get out of bed for, especially considering they're already out $25M and they really will have expenses to cover for this.

[1] https://abc.xyz/investor/pdf/2018Q1_alphabet_earnings_releas...


I'm seeing prices from $17 - $15,000 for preregistration and the pricing tiers seem very arbitrary... is there any documentation on how Google sets the pricing?


Please see my top level comment here that I've since left.

Note that registrars ultimately set the pricing that you see, which is why it's different across different registrars, same as if you wanted to buy, e.g., a .com domain.


But not only to take care of internet security, but also to protect our children from terrorist and pedophiles, right? I wonder where I have heard similar use of wording that introduced a bunch of new laws harmfull for anything related with freedom...


> So a cynical profit motive is not why we're doing it

That's, if anything, less reassuring.

Google doing it to make money makes sense. THey are a for profit company, it's what they do.

Goodness of our hearts just makes me suspect it's more evil. Quit being evil google.


> (it is not necessarily!)

HTTP traffic -is- necessarily insecure. It's trivial for anyone on your network to run Wireshark and see/modify all of your traffic. And a lack of HSTS leaves your site potentially vulnerable to SSLstrip.


And we have the first person to confound not having a .app with not encrypting the connection here. The comment you replied to did not imply that HTTP is not necessarily insecure, it said that you can (quite obviously) use HTTPS with any TLD.


The comment referred to Google flagging other content as insecure; Google does that for HTTP content, not non-.app content.

The problem is either the “not necessarily” part is wrong (in regard to flagging HTTP) or the criticism is directed at a fantasy that isn't actually occurring (in regard to flagging things that aren't .app). Either way, the criticism is defective.


Nope:

> Google throws down a few hundred grand to get the .app domain,

> in concert with modifying their web browser

> to deliberately mark others' traffic as "Insecure"

> (it is not necessarily!),

> and reaps the fees now

This is what patrickg_zill's comment said, just with some newlines and emphasis to make it more understandable. The not necessarily does not refer to HTTP, it refers to non-.app domains. And there is no "criticism is directed at a fantasy", there is a cynical prediction which is completely possible in all respects. You---or I---may think that that'll never be the reality, but regardless, that's what the comment said, and the other commenter misunderstood. I don't get why I get downvotes and criticism for this.


It still reads to me like they meant non-HTTPS connections, as that is what they mark insecure in concert with buying the .app domain.

They -could- have meant .app, but we'd need the guys word to know for sure. It's not as straightforward of a comment as you think it is.


That is probably because you want to understand it so. I give up, they completely meant HTTP vs. HTTPS...


I'm getting it from here:

> modifying their web browser to deliberately mark others' traffic as "Insecure"

I'm assuming the parent comment meant how Chrome marks HTTP connections as insecure; they're not marking TLD's that aren't .app as insecure.


I think the idea would be that Chrome would sooner or later mark non-HSTS sites like .app as 'half secure' or add a special extra greener bar for .app sites. Given Google's track record, I wouldn't really doubt it.


non-HSTS sites like .app

What?

add a special extra greener bar for .app sites

That would be really weird, considering that most Google sites are not .app, and would be quite a pain to change. Suddenly every competitor to their services get a special greener bar for a few bucks?


If I read correctly they meant the opposite, i.e. marked insecure if not .app.


And it won't take many registrations to recoup the investment. They're charging $999 / year at least for pre-registrations. I clicked through to the price using godaddy and the $16.99 / year price quickly got replaced by the higher number which also indicated that $1000 was the yearly renewal price if one gets the domain through pre-registration. (Your money gets refunded if you don't get the domain.) I'm sure godaddy gets a decent portion of the $1k, but damn.


That preregistration amount changes based on the domain you are trying to register. More popular terms cost significantly more.


also indicated that $1000 was the yearly renewal price if one gets the domain through pre-registration.

That's just on GoDaddy.

"EAP is a one-time acquisition fee; you do not pay that on subsequent renewal."

https://news.ycombinator.com/item?id=16971246


Google won't get extra fees from sites running HTTPS. There is no indication that they will make any difference between sites on TLDs that enforce HTTPS and any other site with HTTPS enabled. Anyone running a new TLD can make it HTTPS-only if they think that's something domain-buyers want. Where's the problematic way of making profit for them? I don't think being HTTPS-only will do much for the success of .app.


An HTTPS-only web is very much in Google’s economic interest, as it vastly increases the barrier to entry of tracking users across the web, which is Google’s core business.


Anyone running a new TLD can make it HTTPS-only if they think that's something domain-buyers want

How does that work? I thought they needed cooperation from browser makers.

Edit: explained here: https://news.ycombinator.com/item?id=16968262


True, they will not get extra fees from sites running HTTPS.

However, they will get extra fees from any .app domain registrations.


Yes. How does the HTTPS stuff relate to that in a way that increases those?


> it is not necessarily

Sure, but labeling a site as “Possibly not secure” wouldn’t be a very effective way of communicating the risks to users.


> and reaps the fees

AFAIK Google does not have a monopoly on .app registrations:

https://get.app/


Google owns and operates the TLD.

Many registrars will sell .app names, but they pay a portion of every sale to Google.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: