Hacker News new | past | comments | ask | show | jobs | submit login
I bought netflix.soy (tinyprojects.dev)
410 points by stokesyio 42 days ago | hide | past | favorite | 256 comments

A Google domain name is lying on the ground. An IT guy walks past it. A friend asks: "Didn't you see the Google domain name there?" The IT guy replies: "I thought I saw something, but I must've imagined it. If there had been a Google domain on the ground, someone would've picked it up."

For anyone unfamiliar, this is a clever riff on a classic economics joke about the Efficient Market Hypothesis [1].

"Two economists are walking down the street and one of them notices what appears to be a $20 bill (or a $100 bill—the monetary amounts vary) on the sidewalk. “It’s not a real $20 bill,” the other economist declares. “If it were a real $20 bill, someone would have picked it up off the sidewalk already.”

[1]: https://www.barrypopik.com/index.php/new_york_city/entry/if_...

Except the $20 bill in this case is a $-10 bill (or whatever the domain name costs), as there is no profit to be made by registering a top company's trademark as a domain name.

Ha exactly — like a briefcase with $1million on the sidewalk. No way I’m touching that!

I too don’t want Javier Bardem hunting me down.

Need to watch that again. Thanks for reminding me. His role was awesome.

I will never watch that again. Too depressing. His role was awesome.

Or Lloyd Christmas

Well we know he'd do it for $2M. But for $1M...what are the odds?

Yup. It's more like lots of people were walking along and saw exactly what it was, and knew better than to touch it.

> $-10 bill (or whatever the domain name costs)

For the curious, .soy seems to be one of the more expensive TLDs. It's $34.54 at Gandhi, $25.98 at Namecheap, $35.99 at Network Solutions, and $20 at Goggle. (I also tried at Bluehost, HostGator, and Godaddy, but none of them seem to even offer .soy).

It looks like netflix.soy was registered via Google, so that would be a $-20 bill.

Would a proper analogy be: free boat! (needs work, might be radioactive)?

I wouldn't necessarily think like that.

A domain can be either resold to another third party or could be sold to the trademark owner itself. You might reach a price agreement that brings you some money and costs the trademark owner less than getting a lawyer involved.

While it is an unwinnable case, there is a positive dollar amount to settling out of court.

No there isn't. Companies won't pay you money for having cybersquatted on their obvious trademark. You'll lose the domain flat out through UDRP.

The best outcome that can happen to you if you find yourself in such a situation is that you relinquish the domain name for free and nothing further comes from it.

Arbitration through UDRP is expensive, both in terms of process costs and employee time. A reasonable company would probably pay more than registration costs to avoid it.

Not if you take into account that they also want to deter future cybersquatting.

Covering actual costs without significant profit is a deterrent. If it costs $20 to register and you ask for $30 I think you're likely to get it.

You're underestimating how much value there is to companies in setting precedent on defending their trademark with an easy and practically guaranteed win. Companies need to proactively defend their trademark when it's being infringed upon or they risk losing it, and this is a really easy way to defend it.

The precedent is already established, you're missing the point: in order to enforce such precedent you have to go to court anyway.

And that costs money.

Looks like you haven't heard of https://nissan.com/.

They've had the domain for years.

Except that isn't cybersquatting. His name is Nissan and he did business as 'Nissan' before Nissan called themselves Nissan in the USA.

Sure, if your name is Mike Google, then you might have better chances at keeping your domain. Probably still not good chances to profit off of it.

Now this a valid reason to give your kid the surname of a brand. To get rich quick. Too bad that this also limits employment options in the long run (can you imagine Google to work for Amazon?)

It remember me the story of Mike Rowe who named his company Mike Rowe Soft. Here the details: https://en.m.wikipedia.org/wiki/Microsoft_v._MikeRoweSoft

Except having the name is not enough, you also need to have used it in business already.

Happens all the time, as many brand names come from family names and the founder isn't the only person bearing that name.

>you also need to have used it in business already.

What is this based on? Because surely I have the right to own mylastname.suffix without being a business even if someone decides to make a business that bears my family name.

Might be less limiting than you think.

There was famously an apple store employee called "Sam Sung" - https://www.cultofmac.com/290116/sam-sung-auctioning-apple-s...

If it were your middle name then you could have the option to omit when needed.

Wow, the look of that website made me feel like a teenager again!

Especially if you have a cute story like the MikeRoweSoft guy did.

He bought mikerowesoft.com though, not microsoft.soy. It would not have ended the way it did if he'd bought the latter. His case was a lot less clear cut than a blatant exact string match on an unambiguous trademark. Also, Mike Rowe is actually his name; Netflix is not this guy's name.

I think Nissan.com is more illustrative -- it was a guy named Nissan[1] who had an actual computer business in his name and got to keep it away from Nissan Motors, but now his site has a lot more to do bragging about his fight with the motor company than actual computer stuff.

[1] Hebrew/Israeli name usually transliterated as "Nisan"

Interesting, why doesn't Nissan motor just paid more money say a million for it?

Surely they can afford it.

Took a quick look at the case. I'm guessing some corp lawyer, maybe even general counsel, didn't have enough "real work" to do and needed to make a name for himself. Then it became a giant d* measuring contest.

Source: Went to law school. Never practiced though.

They got bad self-serving advice from lawyers. A lawyer doesn't get paid much if all they do is write up a contract for a private agreement to buy a domain, but they get paid a lot if the disagreement goes to trial instead.

In case you've never heard of them: https://microsoft-informatica.com/

Yes, they were here first.

That reminds me of my father's advice when I wanted to buy a house. He said if the house was so good why hasn't anyone bought it yet.

A little anecdote. I actually had this exact situation happen to me when I was a kid.

I was walking in a crowded street just outside a shopping center and there where a bunch of $50 bills being blowed by the wind. No one was paying any attention to them so I picked one of them up. You can imagine my surprise when I realised that they were real.

All in all it ended up to be roughly $3000 and my mum took the money to the police station. No one claimed it and a few months later we got to keep it.

With the expansiion of TLDs, this just means that apex domains of a TLD will still be subject to trademarks.

google.pizza, google.yoga, google.keyboard will all be trivially easy for Google to claim trademark infringement for.

So while it's cute that you can register "google.soy" -- if Google cares enough they'll take if from you.

I don't doubt google would attempt to do this, and probably win simply by being able to out resource an individual who registered the domain, however, my limited understanding of trademark law is this wouldn't necessarily be a valid claim.

My understanding is trademarks are a protection against consumer confusion, so as long as companies aren't selling similar products or services, or competing in the same geography there isn't a problem. This is difficult with google, but a non-tech scuba company operating under google.scuba or googlescuba.com wouldn't necessarily infringe on google the tech company unless they're actively doing something to make consumer believe they're dealing with google the tech company.

Google is difficult with it's large breadth of interests, but for most tech companies this is likely more about exploiting flaws with the legal system by out resourcing opponents more than legitimate claims (thinking the oracles, salesforces, dells, Intels, etc).

While this is generally true, it doesn’t apply to a famous and unique mark which would definitely be covered by trademark dilution in this case.

See: https://en.m.wikipedia.org/wiki/Trademark_dilution

IANAL but I'm pretty sure those examples could still be trademark infringement. Since Google is a global company and brand, someone could easily assume since your site is called google.scuba or googlescuba.com, you are in some way affiliated with or endorsed by Google. Perhaps you'd be OK if you made it very clear that wasn't the case, but I wouldn't want to bet on it.

I don't know what legal relationship it has to US trademark law, if any, but I've heard ICANN has its own sort of arbitration process for domain squatting disputes.

> apex domains of a TLD

aka domain names.

Although apple.records would not be available to Apple Computer. Trademark classes will make this all more interesting.

In fact, they're the only good argument in favour of expanded TLDs that I can think of.


So… these aren't accessible without specially configured DNS, right? Given that the point of domains is to let people get to your site, a TLD only accessible after reconfiguring your computer to use a little-known DNS competitor seems worth a hell of a lot less than $19,000.

Yeah...this basically ignores those totally minor perks like “SEO” and “people can actually find your site.” Unless I’m missing something here.

smells like new.net

This is spam.

Interestingly, I recently saw a couple a couple of google.* domains available on Google Domains, including some reasonable-sounding ones: IIRC, google.tech (edit: google.page), google.business, and google.camp. Tried to purchase them but they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries…

More generally, however: all these TLDs are kind of stupid, and trying to make sure you own every single TLD for your business is similar to a protection racket where you have to pay just so something bad doesn't happen to you. Perhaps we should stop trying to make a billion of them.

>Interestingly, I recently saw a couple a couple of google.* domains available on Google Domains, including some reasonable-sounding ones: IIRC, google.tech, google.business, and google.camp. Tried to purchase them but they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries…

It must have been a bug in Google Domains, all three domains were registered ~5 years ago.

It could have been an interruption in connectivity with the registry operator(s) for those TLDs. When that happens, most registrars will at least attempt to buy domains they're currently unable to retrieve the status of. You only get charged if the domain actually ends up being created.

I have experienced this bug in Google Domains before (for non Google related domain names). Interestingly, it seems to particularly affect domains that are registered but unused.

This isn't isolated to Google Domains, however. GoDaddy's website let me go through the entire checkout process with 2 or 3 registered domain names, followed by a refund an hour later.

Yes, but I figured they might have lapsed. I idly check it from time to time and they certainly didn't show up as available previously.

> they instantly became unavailable the moment I tried to do so. The cynic in me thinks that Google has a special check for those and renews it themselves if someone tries

My guess is that they were never available and there are doing a poor job of figuring out which domains are taken and which are not. I've been this in several other domain name search sites too, especially if there is no nameserver for a registered domain.

Which is most likely because registries are known for having poor infrastructure. If registrars can't see the name is taken from the registry, they will default to available.

I worked on some registrar-related stuff years ago now and even at that time, Verisign was known for having poor support of providing information about .com registrations.

> Which is most likely because registries are known for having poor infrastructure.

If people only knew that the internet was held together with bubblegum and duct tape...

Every fundamental layer has just crazy / old legacy foundations that are just incompatible with safe systems. Really opened my eyes when I saw how telco routing worked at the lowest levels.

Clicking "purchase" on them must have kicked the system into fixing itself, then, because they stopped showing up as such after I did so.

I think so too, because that's when they do the (presumably resource intensive) call to actually attempt the registration and they can update their "most likely available" list with this definitive data.

Even better yet, it would be interesting if we just abandoned TLDs. There is no reason why http://google/ can't work, really, with a bunch of infrastructure changes.

Infrastructure changes aren't even needed; Google already owns the .google TLD. All they would need to do is attach an A record to the root.

Sure, but why would they?

Can you imagine all the search advertising Google would lose if they allowed just 'nike' and 'att' to resolve the websites in Chrome, rather than search results?

Did we just find the secret to beating google?

ICANN doesn't allow A records on the DNS root on gTLDs. If they did, we already would've.

This explains so much. I'd always wondered why e.g. CERN's website was served from home.cern instead of just cern.

http://cm./ used to resolve


http://to./ used to be a URL shortener.

Either the rules on ccTLDs are different, or it's a recentish crackdown.

There are no rules for ccTLDs, which their countries like to claim as sovereign property (see https://meetings.icann.org/en/dublin54/schedule/wed-ccnso-me... and https://gac.icann.org/principles-and-guidelines/public/princ... for some of the views)

Some ccTLDS voluntarily agree to abide by the same rules and operational requirements as the gTLDs - https://www.icann.org/resources/pages/cctld-2012-02-25-en has more details.

This means, for example, than ccTLDs aren’t bound by the findings from SAC053 at https://www.icann.org/en/system/files/files/sac-053-en.pdf which have been included in the gTLD contracts.

Wow, that's a glimpse into the past

.cm is a ccTLD, not a gTLD. All two-letter TLDs are ccTLDs and all 3+ letter TLDs are gTLDs. Countries have wide latitude to do whatever they want with their ccTLDs.

http://ai./ still works

What happens if I have a computer on my network named ai? Wouldn't it cause a conflict?

I called my FreeNAS box freenas because I didn't feel very creative, and I can browse to it as http://freenas or http://freenas./ but if they took a domain of 'freenas' suddenly that means I have to do extra work and rename my stuff. Doesn't seem fair!

You should have used a reserved TLD like `.local'. If you set it as the local domain name `ai' and `ai.local' would work. `ai.' would not work, as the dot at the end tells it to look at the top level. (like the slash at the beginning of an absolute path)

Ah yes I forgot that, .local does work so I guess that fixes that problem.

The used to have an A record on some of the other TLDs they own.

I maintain a list at captnemo.in/tld-a-record

Do you remember the details?

Yes, I did a blog post when it happened: https://captnemo.in/blog/2018/06/02/google-tld-no-more-a-rec....

Google was pointing its TLDs to, and once they started using the TLDs actively, they removed the records.

With the super shady sale of .org it may be time to consider who these people are selling essentially nothing.

I was pondering about the idea of a browser extension for a sort of local DNS. Paying for domains could be ditched if everyone had a local copy of a database that mapped any character sequence (even emojis) to a server address that would get filled in by the extension in the url bar. Not sure if it would extend to mobile or all websites, but could work similar to a social network in the sense that you need to get the extension (i.e. access) first, and then you can find someone just by using a string that they've provided. Combined with something like Github pages it would offer a full free solution.

Seems like the hosts files of old and one kind of Alternative root. https://en.m.wikipedia.org/wiki/Alternative_DNS_root

I remember seeing a NIC that did this with their TLD. But I can't remember which one :/. I would love if someone finds it.

I think it's pretty common. Our national NIC does it: http://dk redirects to their website.

Surprisingly, going to http://dk redirects to https://www.penguin.com.au/browse/dk for me. How strange (I've never visited the penguin website before this).

This redirected to https://dk.com for me. Is this my ISP's DNS messing with me?

Firefox will sometimes append .com onto the URL.

What a nasty non-feature. Can this be disabled?

Does not load for me

"dk’s server IP address could not be found."

Another one is http://ai

Perhaps that will work.

This works if you add the trailing .: http://ai.

DNS suffix, to name one.

Companies like Mark Monitor will buy all of the <yourbrand>.tld's for you-- and continually grab new ones (as the set of TLDs is constantly growing). At Netflix's size, I would assume they would've paid for such a service.

It's worth noting that MarkMonitor ownership has changed in recent years.

Regardless, they certainly can register all the names for you, if that's what you ask them to do, but at some point, there's an awful lot of names, and it feels extortiony to pay for them all. I was working for a MarkMonitor client when the 'landrush' for all these new tlds was happening, and we'd get frequent emails about which tlds were going live soon, so we could decide if we wanted foo.bike or foo.sexy or foo.personals, or whatever. And then, if we wanted to pay rediculous prices to get it early, or wait and see if we could get it at normal price (+ hefty MarkMonitor markup). We would almost certainly win a UDRP, but that's expensive too.

Then we got bought, and the new corporate overlords liked throwing money away on dumb domains, so foo.bike got registered by their team (and they had an actual domain team, so I got to shed that hat).

When you mention the change of ownership, I assume that there's an implication there, but would you be willing to be explicit about it?

They're owned by a VC firm now, which I suspect means they'll need to change how they operate in order to show growth. That's not what I would want in a registrar I'm counting on for absolute stability of domain names for my hypothetical big/important company.

Could someone register a tld and charge a crazy amount of money for it, to extort big companies?

Yes. Look up the history of .sucks

The first reason https://get.sucks mentions why you might want one of their domains is to protect your brand online.

"protect" aka good old mafia-style "protection money" rackets.

No, they can use their trademark to take control of the domain without paying any money through UDRP.

That’s not how trademark law works, at least. Does the URDP really let trademark holders take down sites that are critical of them?

I wouldn't expect UDRP to allow a trademark holder to take down a site critical of the holder; I that's a legitimate use of the trademark, even if it's not approved or desired.

However, that's not really what most companies are worried about, they're worried about phishing or scams or misleading sites with their name; UDRP should allow those to be taken down fairly easily, although the question is always if it's less expensive to register the domain or to leave it unregistered and dispute it if it's misused.

Yes, a company by the name of Donuts did this with over 200 new TLDs.

There are now anti-domain squatting laws on the books, aside from more conventional trademark, etc., protections.

If any of the big names found someone using a clone domain and objected to it, the domain owner - I'd expect - would find themselves having a chat with keenly interested IP attorneys.

there is the Trademark Clearinghouse which actually deals with these cases (by either automatically registering the domain for the trademark holder, or notifying them immediately if the domain is registered so they can take semi-automated action) [1]

[1] https://newgtlds.icann.org/en/about/trademark-clearinghouse

Yeah, I don't recommend buying domains with trademarks in them, even for research (or similar) purposes.

I registered a domain name with a client's trademarked name in it as part of an authorized penetration test of that client a few years ago. At the end of the test, I asked if they wanted me to transfer it to them, and they didn't. A year later, when it expired and the domain privacy stuff went away, all of that automated enforcement machinery started running, and suddenly I was being threatened with all sorts of arbitration/court appearances if I didn't transfer the domain (which I no longer owned) to them. Took weeks to sort out, and that was with documentation that I'd bought the domain as part of a pen test the client had specifically agreed to.

I felt the same when I wanted to pick my domain name: you're tempted to go for the traditional way of going with YourName, and then buy the .com or .org but what if you buy only one of them ? How does someone else know that YourName.io isn't your website if you don't buy it ?

My conclusion was that your domain name must not be in the form of YourName.tld; the tld must be part of your name. You can either use puns like buying yourna.me, but it's a bit weird for non-tech people, or you have to use the weirdness of tlds and go for something like lostin.space. There is less confusion at "what comes after" because there is only one.

There is no way you'd get a "google" domain under any extension but even if you register a domain with "google" + something else you're going to lose it in a UDRP anyway.

It's possible that google and other major brand names don't have to register every extension, the names are just reserved for them alone, should they want them.

There was a dude a while back who registered google.com and gave it back when asked. I figured I might be able to do that and get a cool story to tell out of it.

He never registered google.com. google.com is hard-locked at the registry level by Verisign and has very high security manual safeguards around any changes that are made to it.

There was a temporary bug in Google Domains that made it appear as if he had bought google.com, but he had not.

Are there other domains hard-locked at the registry level? I haven't heard of this behavior before.

Yes, there are many such registry-locked domains. Verisign and most other TLD operators sell it as a service. More info:

https://www.verisign.com/en_US/channel-resources/domain-regi... https://krebsonsecurity.com/2020/01/does-your-domain-have-a-...

It's a recommended best-practice for high-value sites, which the main website of any Fortune 500 company certainly falls under.

Oh, this is available to anyone with a .com using a major registrar. I had misunderstood this to be some special feature only available to the domains that make up massive amounts of internet traffic like google.com.

There is likely to be even more scrutiny placed on any changes to domain names that employees of Verisign immediately recognize, such as "google.com". I imagine that would have to go through a very high level person at Verisign. It's in everyone's vested best interests here to not screw up something so visible as that.

I think it was GoDaddy not Google Domains.

It was Google Domains.


The guy in the article did in fact buy a google.tld - https://google.xn--9dbq2a/

I wasn't talking to the guy in the article, was I?

The guy in the article was able to do it recently. Why not the person you were replying to? (Besides the fact that now the guy in the article has done them all)

Lots of people hand registered 3 and 4 letter .coms in the past.

So because they could do it, anyone who points out it's not possible now should be downvoted and asked to explain themselves with:

Why is it not possible, beside the fact that it's not possible?

[Edited to remove excess frustration/annoyance/snark at people quibbling so much about a totally inconsequential and factual remark.]

It is unlikely that google owns trademarks in all countries for all trademark types.

Lot's of domain squatters listen out for whois requests, to try nab unregistered domains before the real interested buyer.

Wouldn't surprise me if big tech like Google does the same.

> google.com in Hebrew! And I could actually buy it. It bloody worked.

In a couple of weeks the follow-up "Google cancelled my Gmail account and won't tell me why"

Was driving to my local park when Android Auto directed me down a dark alley whereupon I was beaten by some hired goons.

One winter day, my wife looked down the coast and noticed that the bell buoy that marked the entrance to Plum Island Sound was lying on the beach. This thing is enormous, about 30 ft long. We drove down and walked around it with some other curious people. Took some pictures.

She thought that we ought to report it. I told her that many people would already have done that. A couple of days went by and there didn’t seem to be any action.

So we finally called the Coast Guard. They said, “Wow, we didn’t know that, thanks very much!”

The validity of this effect has been called into question, but for a long time, this was the "standard response" to situations like this:


Yeah the Kitty Genovese (sp) story is an example right? Wasn’t that proven to be a myth or something?

Yes, the popular story about the 30-odd bystanders was broadly unfounded. In fact there were two calls to the police.

Yes, just like Stockholm Syndrome, it was made up to cover up a bungled police response. Neither one is a real thing.

Source? https://en.wikipedia.org/wiki/Stockholm_syndrome#FBI_Law_Enf... says it's rare but FBI seems to be saying it is a real thing.

FBI isn't exactly a trustworthy source of psychology. Psychologists and the DSM do not recognise it as a real thing.

Here is the backstory of how it was created: https://twitter.com/sezmohammed/status/1252500993972948992

Similar story different ending, I was driving over the San Mateo Bridge in broad daylight and screeched to a stop to avoid hitting a bicycle that had fallen off the back of someone's car and was sitting the rightmost lane. We managed to get out of there after spending a long terrifying minute looking in the rearview mirror at vehicles blithely approaching us at 75 mph and swerving into another lane at the last second upon realizing we were stopped, despite the emergency blinkers. Finally a gap in traffic opened up and we were able to get out of there too.

After we cleared the bridge we called 911 and as soon as my girlfriend said the words "San Mateo Bridge" the dispatcher said "Are you calling about that bike? All the calls we're getting right now are about the bike. Police are already on the way. Have a good day." And she got hung up on!

So, fortunately, sometimes the bystander effect isn't in play, and lots of people are independently making the good decision to report a dangerous situation to 911.

I had a similar situation while driving through South Carolina on the freeway - we saw a small fire on the side of the road! My wife and I were wondering if anyone called about it and I thought that probably not, everyone assumes someone else did. We did end up calling 911 and they didn't seem aware if it yet and sent a fire crew out!

There's a terrible enterprise security product that can be configured by IT to quasi-MITM your company web traffic. Instead of relying on enterprises pushing their own trusted root certs and MITMing the whole session this terrible product redirects all traffic to (and I'm not kidding here) urls like "www.terriblesecuritycompanyname.com/www.originalurl.com" when the user accesses www.originalurl.com.

So this "enterprise security" company encourages end users to put information such as passwords into www.terriblesecuritycompanyname.com/owa.office365.com for example. Of course everyone has SSO enabled for Office 365 but everyone is also used to SSO sometimes breaking and falling back to forms based auth so people have no issue typing their passwords into any page that looks somewhat legit as long as the URL is close to what they expect and has a little lock next to it.

Anyway www.turriblesecuritycompanyname.com is available and I'm waiting for someone nefarious to purchase it and start sending phishing emails with links to www.turriblesecuritycompany.com/owa.office365.com embedded in them.

It depends on which ethical framework you subscribe to, but if I were in your shoes using my ethical framework, it seems like the small cost to me to purchasing an available domain (making the assumption here it's a standard buy and it's not one of those "make an offer for $10k" domains...) to mitigate a lot of potential hurt to other people would make me lean toward just purchasing the domain myself, or at least making the correct people aware. An equally valid counterexample would be a framework where you didn't cause the harm, so you have no obligation to intervene.

Your ethical framework in this case could clash with the arguably broken legal framework that we currently live in.

Buying a domain like that could get you into legal trouble once it is found out and people track sensitive traffic funneling to the domain. Even if you aren't doing anything with the information.

This, exactly.

One thing I've learned about "infosec" companies is that their litigiousness is inversely proportional to their actual level of security.

The similar domains I've seen are only $9 though so it's just a matter of time.

Wow, that sounds awful.

Do you know what they did (assuming not nothing) to have browsers continue to enforce the same-origin policy, and block www.terriblesecuritycompanyname.com/evilhacker.com from accessing cookies that belong to www.terriblesecuritycompanyname.com/owa.office365.com?

I haven't looked into it that deeply to see how (whether) they're handling same origin or cookie access. I assume they're doing some kind of magic other than just rewriting the URLs.

If you haven't been involved with enterprise information security you'd be surprised by how intrusive and poorly conceived these services are in a lot of cases. Tavis Ormandy and others have famously found many AV products to be running un-sandboxed untrusted javascript in kernel mode. In line web proxies have been found to do things like sign untrusted or revoked certs with a trusted root cert.

It's all pretty much a big grift to capitalize on companies' rightful cyber security fears.

> redirects all traffic to (and I'm not kidding here) urls like "www.terriblesecuritycompanyname.com/www.originalurl.com" when the user accesses www.originalurl.com.

What is the theoretical security feature they are selling by doing this?

The ability to block malware and phishing domains, insight to IT people about what sites are being visited, content filtering, etc. While most of this should be implemented in another way (like maybe a mandatory browser extension?), MITM is still the standard approach for many companies.

I don't really agree with the premise of this post. Why should Netflix or Google have to buy a domain for every stupid gTLD that someone paid a few $100k to create? The author makes it sound like that's somehow an oversight on their part.

If anything, it's sad that they ended up having to own so many gTLDs just to prevent abuse.

I think that’s what he’s saying: that this system of hundreds of TLDs means that companies can easily miss one and that becomes a vector for phishing, etc. It sounded like he was blaming ICANN, not Netflix or Google.

I'm from Israel, and this is the first time I've heard about the .קום tld. I've never seen any website that uses it.

The author mentioned that creating a new tld costs a minimum of 185k USD. This makes me wonder who would pay this kind of money for this completely useless tld.

If they managed it for only $185k I'm impressed, maybe if you did several on the same infrastructure.

It's a gold mine offering. There was a long queue of people quite sure that .binglebongle would be the new .com. Sometimes it was a marginally less stupid plan, like we can be a regional alternative - and Russia even has one that's actually making money - it isn't taking over the world, but it's Cyrillic and was never intended to. But most gold mines never produce gold, they just suck up people's money and dreams and spit out the bones.

The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.

The Kerry Group for example owns several, as do some US financial outfits. Why? Because nobody who knew this was a stupid idea was in the room when it got decided.

> The obscure brand TLDs are funnier. Not brands you've heard of like google, brands who are their own tiny corner of the non-IT world and figured they ought to have a TLD, so now they do to the tune of maybe six figures a year.

While everyone here has certainly heard of Softbank, I find it amusing that they have their own TLD too (with sites like https://group.softbank/).

> everyone here has certainly heard of softbank

not until your comment had I heard of "softbank"

Afaik most of the new TLDs are hosted by a few specialized ISPs that have enough DNS infrastructure to comply with ICANN's standards. Apart from tech companies, nobody wants to maintain DNS servers.

I'm pretty pissed off that some TLDs went to the exclusive use of corporations. I really wanted a domain with .fox but its taken by the media corporation which doesn't use it for anything.

Many national TLD holders (ccTLDs) control a TLD in local language.

.lk registry, for example, also controls .ලංකා and .இலங்கை (sounding "Lanka" "Ilangei" in Sinhalese and Tamil, the two other official languages in Sri Lanka), and they do not cost $185K. In fact, ccTLDs don't cost any money as far as I'm aware. DNS servers are run by the government funding but there is no cost to pay to ICANN.

Perhaps government organizations ? Also not all TLD's cost 185k to create, ccTLD were given free to each country to mange for example, similarly language specific common gTLD may have had special provisions for some countries to manage perhaps.

.קום is just .com transliterated into Hebrew letters, right?

That actually seems quite useful, if people are typing not realizing the keyboard is set to Hebrew.

That would only work if the Hebrew keyboard layout they were using had this mapping of letters. Most language layouts for non-Roman scripts don't optimize for phonetically approximating the corresponding English letters (presumably on a QWERTY layout).

It appears that they don't match to the TLD letters here: https://en.wikipedia.org/wiki/Hebrew_keyboard

That's correct. Typing 'com' with the keyboard set to Hebrew results in 'בםצ' (which is not even pronounceable) not 'קום'.

The Hebrew keyboard layout has no relation to QWERTY in terms of phonetics.

There is a Hebrew phonetic keyboard layout: https://en.wikipedia.org/wiki/Hebrew_keyboard#Hebrew_on_stan... it's built in on Android, windows, Linux, etc.

Usually used by non-native Hebrew speakers.

> 'בםצ' (which is not even pronounceable)

Sounds like a new snack from Osem :)

If the keyboard was set to Hebrew then the subdomain would also be spelled out in the wrong characters, so the URL would be nonsense or go to a different site. Additionally, as people mentioned, the standard Hebrew layout is incompatible with QUERTY (I am a Hebrew speaker and have never heard of the phonetic Hebrew layout you linked to). Also when you type the URL the characters would be spelled out in the oppose right-to-left direction as .com.

If these companies notice, they can file a UDRP (https://en.wikipedia.org/wiki/Uniform_Domain-Name_Dispute-Re...) request, on the basis that the domains infringe their trademarks, and were registered and used in "bad faith".

>and were registered and used in "bad faith".

How were they registered in bad faith? He's not extorting money from netfilx, nor is he trying to deceive people into thinking he's neflix.

UDRP typically rules in favor of the holder of the unambiguous trademark in these kinds of cases. As an example, "Exxon Mobil" refers unambiguously to a single entity only, and has no other possible uses, so anyone registering exxonmobil.{anything} would lose if the company came after them. No one else has any right to that trademark, and ICANN enforces trademark rights on domains.

If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you.

Contrast this with the case of, e.g., McDonald, which is a widely used surname that predates the existence of the trademark. So long as you specifically aren't trying to cause confusion with the McDonalds restaurant trademark, you can use "mcdonalds" in a domain name.

McDonald can use it after going through an expensive lawsuit where the big co will try to bully the little guy.

Which is what happened to nissan.com

What about .sucks? Couldn’t one claim free speech? https://www.forbes.com/sites/rogerkay/2015/06/29/saga-of-suc...

Free speech is a right issued by governments to the people.

It is not a valid concept between two private parties.


Yes, but the argument GP responded to was that "ICANN enforces trademark rights on domains" and that "If the trademark already existed when you bought the domain, and especially if it's widely used and ambiguous, you're gonna lose that domain if the company comes after you."

He argues that the practice has its basis in trademark laws. If it is so, nominative use of a trademark to e.g. criticize a product is considered fair use and shouldn't be ruled out by ICANN on that basis. It either wouldn't be, or ICANN have some other basis than trademark law for their rulings.

So GP's point raises an interesting question. If you had registered e.g. "google.sucks" or something similar in which the FQDN arguably forms a valid nominative use in itself in good faith to use that domain to criticize Google's business decisions and products, does ICANN have some other policy outside respecting trademark law that would compel them to take the name back and give it to Google?

The answer to that question isn't "Free speech is a right issued by governments to the people". That's a pointless non sequitur at best, and I'm frankly tired of hearing it used in defense of huge monopolies that are well deserved of scrutiny in the interest of defending freedom of expression.

I agree in that perhaps entities with a public platform (in this case, literally the internet domain) should be compelled to provide reasonably equal access/equal speech rights to everybody.

However, the law is not in that rationale's favor. US courts have repeatedly rejected the argument that private companies are state actors subject to the 1st Amendment [0].

The reality is that the internet is governed almost entirely by private companies.


> I agree in that perhaps entities with a public platform (in this case, literally the internet domain) should be compelled to provide reasonably equal access/equal speech rights to everybody.

Agree with who? I said that I'm tired of seeing the defense, especially when it's in response to a concrete question that it doesn't answer. You apparently disagree with that entirely. I'm not tired of the defense because I don't understand it, I'm tired of it because I do understand it and don't need constant reminders of it to derail legitimate discussions of how ICANN deals with possibly trademark infringing uses of their services.

I don't know what makes you believe that I don't understand that and keep posting links irrelevant to how ICANN deals with these cases, which again is the question being asked. I'm frankly not sure how I didn't make that clear in my last reply.

I built a tool to analyze UDRP Cases. If you're truly curious https://udrp.tools/?s=aad5d8d0

You can see every domain with SUCKS in it filed against and the outcome. 66 Granted (complainant won). 35 Denied. 4 Split.

My favorite domain filed against from the list: guinness-beer-really-really-sucks.com also against the guy who got the anti cyber squatting legislation created by pointing disney typos to porn.

.sucks is a very special case. I wouldn't try to generalize anything going on there to other TLDs.

He admitted he only registered it because netflix didn't, and he had no other non netflix related website in mind to host there. I think that's borderline bad faith. Its not exactly good faith. If he had never heard of netflix he never would have registered it.

> How were they registered in bad faith?

The article literally says that he only registered it because it clashed with an existing company. He didn't want the domain name for any other purpose.

What's he trying to do with it?

The whole framework arounds TLDs is very strange to me. One one hand, opening up all these gTLDs was supposed to alleviate problems with domain parking and name clashes (e.g. you could disambiguate your .blog from a .pizza restaurant). But all this did was shift the parking to other domains, some of which are ludicrously overpriced (anyone remember the .io hype?)

Secondly, regardless of where your site is hosted, you're also bound by the registrar's laws/restrictions (especially for ccTLDs), which doesn't make sense for something that is purely a routing mechanism that translates a name to an IP. It'd be fine if domain names were plentiful, but domain hacks[0] also make people use TLDs without regard to considering their territory or any implications.

The whole .org fiasco only proved further that this model with ICANN and for-profit registrars isn't tenable and a horrible fit for an open distributed internet. All these perverse incentives and political fuckery should not exist for something that is an essential part of a worldwide utility.

I'd love if HNers could share any promising alternatives to our current DNS system.

[0]: https://en.wikipedia.org/wiki/Domain_hack

This is the first time in a couple years that I have seen a reference to myself while reading an article. Thanks for the surprise!

> No. They're welcome to have them back anytime they want. They could probably do it pretty forcibly if I refused to budge too (see Microsoft vs. MikeRoweSoft).

Do you still have that Xbox?

I was just talking to a friend yesterday about "domain hacks" (where you spell some word using the TLD) in the context of country-code TLDs. Those raise some interesting issues for political reasons [1, 2].

For the newer TLDs like .soy, .pizza, .restaurant, etc. I really can't imagine that these would be adopted quickly. Even to me, these are barely recognized as URLs at all. And the possibility for domain name confusion really skyrockets, as demonstrated by the submission.

[1] https://priceonomics.com/the-rise-and-fall-of-ly/ [2] https://www.thewebmaster.com/hosting/2016/feb/27/io-tld-top-...

"Did you know it costs a minimum of $185,000 to create your own domain name ending? For that kind of money, I think ICANN, the registries and registrar sites have a massive responsibility to ensure that this never happens."

No they don't.

The same problem exists with subdomains, for example some users may visit "netflix.trustworthy-sounding-domain.com" and not notice the issue.

Meanwhile, using a weird TLD can raise suspicion even for legitimate sites. Get a dot com.

netflix.trustworthy-sounding-domain.com isn't really the same though. If I own netflix.trustworthy-sounding-domain.com, I can create facebook.trustworthy-sounding-domain.com, google.trustworthy-sounding-domain.com, etc simply by creating new DNS records. No one but myself is involved, or even know they exist (unless I put links to them somewhere public).

On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.

Let me explain. The problem is that somebody malicious might impersonate another company through a domain name.

So they send people emails with URLs like "netflix.user-support.com" where "user-support.com" is owned by the malicious actor. This is extremely common.

I honestly don't see any other problem. How else would you get people to visit "netflix.soy", if not by the same mechanism? It doesn't matter who controls which part of the domain, users are either going to notice the odd parts of the domain, or they are not. The fact that one is a TLD and the other isn't doesn't really make a difference, at least for uncommon TLDs.

> On the other hand, someone owns and operates .soy, and has to actually approve new domains getting created. Part of that process could be a step that automatically screens for scammy looking registrations.

Yes, but that wouldn't do anything to solve the problem. It would only make things more expensive. I honestly don't see the issue with anybody owning "netflix.soy" unless they're malicious, but in that case owning "netflix.anything-else.com" would be just as bad, if not worse. Since we can't really prevent the latter case, preventing the former case is moot.

These sorts of “I found a name collision” blog posts often use the possibility of phishing to justify their implication of alarm.

I don’t really buy it, though. I mean, I know that phishing is a major problem, but I don’t buy that this discovery makes the problem of phishing any worse. There are an infinite number of ways to configure URLs to pass a glance test, which is the most you’ll get from most users.

> large sum of money

No, they will file a dispute and get them at registration cost, because they own the trademark.

Not always, i had for a few years the domain name of a top 10 website we all know, with a TLD for my country (.pt). I just kept it and did nothing with it and one day got a €30k offer.

I used to work for a Big Media Company. They used to scramble to by BigMediaCompany.<new tld> whenever there was a new tld.

Then one day they stopped. The legal department decided that if someone were to buy it and use it in a way that infringed on their trademark, it would be cheaper/easier to sue or file an injunction.

For a while it was an extortion game. A new .tld like ".mobi" or ".music" would start, and they'd offer the names to fortune 500 trademark holders for $$$$$.

Registering unambiguous trademark domains falls under the category of "play stupid games, win stupid prizes".

Could anything worse than losing out on the registration fees ever actually happen?

Absolutely. Some countries have laws against it, they could file in normal court (not UDRP). US the limit is $100,000 per domain under ACPA (https://en.wikipedia.org/wiki/Anticybersquatting_Consumer_Pr...)

Also if you lose one case, you are likely to have that used against you in the future (pattern of behavior). So any subsequent defense may be weaker in a system that already strongly favors TM holders.

Yes. You might have to deal with the hassle and expense of being sued.

There's all downside and no upside to playing this particular stupid game.

I mean technically, maybe, but it's extremely unlikely that they'd sue without sending a C&D first. And given the lack of damage even if they did it'd likely get dismissed quickly with him just giving up the domain.

But... INAL and this is not legal advice.

The biggest trouble people get themselves into with this kind of thing is if they, upon being contacted by the company, ask for money instead of immediately offering to transfer the domain to them free of charge. At that point it's trademark cybersquatting and they have your own words in the email as proof.

Speaking from personal experience here: being on the end of any kind of notice with the threat of legal force, even if it's not a lawsuit yet, is the kind of stress you just don't need in your life.

If you actually caused say, reputational damage, you could be stuck with a lawsuit for more than just turning over the domain.

People have gotten in serious hot water over Internet traffic that was accidentally sent to them. Owning someone else's trademark as a domain name seems liable to increase the risk of that happening. Even if you aren't up to no good, you've now placed the onus on yourself of proving that you weren't, whereas if you weren't squatting on an obvious TM domain that wouldn't be true.

> People have gotten in serious hot water over Internet traffic that was accidentally sent to them.

You've piqued my curiosity. Any examples to share?

If anybody wants it, I compiled a list of Alexa's top 50 domains and their available TLDs:


Now with price!

I own 인스타그램.닷컴, and (actually!) use it to share photos with my Korean friends.

But, uhh, I would certainly not decline if Facebook were to try to purchase it to make it reroute to Instagram.

I really like the landing page. heh.

There is a service ran by ICANN called the “trademark clearlinghouse”. It is a subscription service that trademark owners, e.g. Netflix, can use to be notified of any domain that is registered and may infringe on their trademark. It even allows for wildcard patterns in ongoing searches.

How do I know this? Because i received a takedown notice regarding a domain I run to sell background job licenses (oban.dev). The business is entirely unrelated, but the clearinghouse alerting system still brought it to the trademark holder’s attention.

Was it from the Oban distillery? Trademark issues aside they make a great whisky.

Indeed. It was from their parent company. I’m a fan of their scotch, so it’s a little bitter sweet.

gTLDs are nothing but a money play by ICANN and registrars and really make the internet a (slightly) more confusing and dangerous place. Within epsilon, all the money spent by companies on gTLDs is dead weight with no payoff in increased usability but only to prevent some naive user from being tricked.

The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

You can't actually mean that? Country TLD? (Eg .CA) I'm actually pretty impressed by how the .CA registry (CIRA) has branded itself in Canada. There's even a bit more legitimacy for sites because it's clear they're operating in Canada (or have at least made an effort for Canadian representation).

Yeah, my default behaviour for any international company is to navigate to companyname.ca. Even if they don't use TLDs for their regional websites, it typically redirects to their Canadian site. (e.g. apple.ca redirects to apple.com/ca, microsoft.ca redirects to microsoft.com/en-ca, ikea.ca redirects to ikea.com/ca/en, etc.)

Presumably OP is American and does business with American websites 99.9% of the time.

Just in the US, there's also org, gov, and edu, not to mention the countless trustworthy ccTLDs in other countries.

> The advice I give my non-techie friends is avoid going to any business website that is not a “.com”

What about ".net"? It's a pretty old, established domain with many large companies using it (themeforest.net, cpanel.net, php.net, ovh.net, doubleclick.net)

Also ".io" usually hosts legit internet businesses.

There have been some efforts to prevent this kind of thing like the Domains Protected Marks List [1] which allows a company to block a second level domain registration which is an exact or partial match of their registered trademark, at a cost.

In this case, a company can block their trademark being registered in 241 TLDs administered by Donuts, Inc. Other registries have equivalents but it only really works for large TLD holders (like Donuts, Minds+Machines etc) where you can block registrations on dozens or hundreds of TLDs.

1. https://donuts.domains/what-we-do/brand-protection

I attempted to do this in the past on namecheap for an Amazon domain based out of some obscure African country (domain was showing as available). The domain order failed, presumably due to reasons similar to authors Gibraltar example. I messaged namecheap live-chat support to ask why, and they basically said "we don't know why it failed, but even if it went through, if Amazon asks us to transfer ownership to them we'd go ahead and revoke your ownership"...which is BS kowtowing in my opinion.

> Did you know it costs a minimum of $185,000 to create your own domain name ending?

If I were a blackhat with money, I'd register the ".con" TLD.

... Sure hoping a whitehat gets it first.

But it's not like a self service portal, it goes through review and would probably be rejected for obvious reasons.

There are guidelines provided by icann


At least it would be self-descriptive! :D

Another self-descriptive one would be .orc

>Did you know it costs a minimum of $185,000 to create your own domain name ending? For that kind of money, I think ICANN, the registries and registrar sites have a massive responsibility to ensure that this never happens.

Which is why ICANN hasn't approved any new TLDs in years, and has a set of standards for registries and registrars to follow less they lose their licensing.

Strange that Netflix hasn't drunk the Registry cool-aid and bought their "all-encompassing" TLD package which registers their trademark across all TLD's for a special price. On top of that, I'm doubly surprised Google hasn't taken action and already put this domain on hold in preemption of selling Netflix one of these deals.

>their "all-encompassing" TLD package which registers their trademark across all TLD's for a special price

That's a thing? What's preventing a predatory registry from being a holdout and demanding exorbitant prices?

Yeah: Domains Protected Marks List, e.g Donuts: https://donuts.domains/what-we-do/brand-protection

afaik there's nothing that requires registries to use a DPML and it doesn't really make sense unless they manage lots of TLDs, since the cost of adding your trademark to the DPML is usually a lot more than the cost of a single registration.

That is a thing for at least one Registry that I know of (and worked for), I don't know if Google does the same, but I don't believe there is anything stopping them (please correct me if I'm wrong).

Google does not do the same.

Which makes me doubly surprised! It was my impression that this product offering was quite lucrative.

The weird-looking symbols also go the other way around: if your language uses umlauts, you can score very good .com domains. For example, I have the equivalents to email.org, entrepreneur.com, and hacks.com in my native language. Some of these domains receive so much type-in traffic that they pay themselves in ad revenue each year.

A somewhat relevant project of mine, where you can test how good you are at spotting these sort of domains: https://www.jamieweb.net/apps/lookalike-domains-test/

The netflix.soy image is fantastic.

My mom is unable to pronounce "Netflix" correctly (Spanish is her mother language), she always said something like "nesflis". So yeah, years ago I bought nesflis.com for her.

> There was one left: netflix.soy (if you didn't click the link, soy means "I am" in Spanish)

apparently netflix.tofu was already taken (tofu is the infinitive form of the verb "fu" in TLDish)

> Truthully, I think its pretty bad that I was able to do this.

It is not. The explosion of TLDs is bad. It's simply a racket. But, Google supported it. So if they happen to suffer some of the consequences... so be it.

Explosions of TLDs is bad!? Why?. It got rid of impossible to buy good sounding and short names, largely massive multi million dollar companies holding onto them.

Explosions of TLDs literally has absolutely no downsides besides the security and phishing implications. It just wiped out the domain mafias and replaced it with a massive competitive marketplace.

Many of the gTLDs charge exorbitant yearly fees for "premium" domains as a means of recouping costs. I pay $300/yr for {myFirstName}.dev. It's extortion, and I might drop it.

With many of the common domain suffixes now becoming TLDs, branding seems much more difficult since you have to buy multiple domains. Is it audiotech.com? audio.tech? tech.audio? Who knows.

I don't think that I would call this better.

My opinion is that Google wants to erode the open web and is using gTLD proliferation to make it confusing to consumers. Instead of remembering a URL, just Google for it.

I think it’s the opposite: if the market can bear premium prices and exorbitant fees, I’m fine with that. There is nothing asymmetric about it. Your company wants to sell $4000 purses? Go for it as far as you can find buyers. Louie Vuitton has.

Luxury products are not exploitation.

> I pay $300/yr for {myFirstName}.dev. It's extortion, and I might drop it.

From where? Google? I just paid $12/yr for a .dev domain on Google Domains.

Yes, from Google Domains. Some of their domains are "premium".

Here's an unregistered one. "red.dev" is $720/yr from Google:


"god.dev" is cheaper at $180/yr:


And, of course asdfasdf.dev is only $12/yr:


Most of the {firstname}.dev domains are in the $300/yr range, but it's uneven. Some names cost more or less than others. I remember seeing one as $1000/yr, but I can't remember what it was.

I double checked my cost. "$180 plus tax"/yr. From Google.

.sucks is one such example. Everyone feels obliged to buy their own .sucks, lest someone else use it to stand up a hatepage.

A whole bunch of money changes hands, but nobody is better off. gTLDs were a mistake.

Somewhat off-topic, tinyprojects.dev and netflix.soy both have DNSSEC, is this required for some of the newer TLDs (like how .dev has mandatory HTTPS preloading)?

Just it's rare to see it in the wild.

Nope. As for .dev, Google controls the tld and the HSTS list baked into Chrome.

I tried to register a google gtld before but namecheap wouldn't let me. I believe they have some phishing blacklist that they enforce.

Does anyone aggregate access to all 1500 TLD's? Is there a guide available on which combination of registrars to use to query them all?

Not all registries participate in the SRS registry protocol. Some of the lesser known ccTLDs must be registered by the individual authorities.

It's not accurate to run a DNS query to determine whether the domain is available because one can own the domain, but decide not to set any DNS records.

Wouldn't non-existent domains just return NXDOMAIN?

Yes, but so do registered domains without DNS records.

Run WHOIS at scale and store the results into a DB. gTLD operators are required to provide WHOIS services, and WHOIS tells you whether any given domain is registered or not.

There are companies that will happily sell you this data in a more usable format.

did the same thing 2 years ago, scanned for available domains of known companies, bought pornhub.it and made redirect to actual pornhub.com

to my surprise, there were around 200 clicks per day, mostly coming from italy of course. i didn't want to do anything malicious with it, so in the end i didn't extend. domain was snatched by someone else as soon as it expired.

Fun article, however: ".coms are slowly becoming less relevant" no they don't. They are becoming more relevant if anything.

They can UDRP it from you in less than a week, but if you were trying to waste time (and money) guess there are worse things to do.

As an aside, having your entire blog italicized might look « better » on the eye but it's incredibly laborious to read.

> I actually paid for google.gi (gi for Gibraltar), only to get this email a few hours later

They did refund you, I hope?

Those domains can easily be seized by the respective companies, which is a bigger problem imo.

If they wanted to, they could take it from you because they own the trademark.

apple.beer is actually a pretty good domain name for a cider company. Not technically accurate of course, but pretty good from a marketing perspective.

Fuck ICANN for pimping out the internet to make a quick buck. We need to replace them with an organization that is truly neutral and not for profit.

Haha, I love the drawings.

I wonder if there is any SEO magic to having those domains. Might be worthwhile to test it out?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact