I thought GoDaddy was an industry pariah, avoided by anyone who knows anything. What's the motivation to use them beyond saving a few dollars? Do they have a monopoly on certain domains?
Many non-technical founders go to them for the domain. By the time technical people (who know better) are involved the domain is already purchased and presumably transferring it out isn't prioritized.
In a lot of my experience, tech people first hear about a new domain when someone in marketing says "we're launching a new x. I've already done a lot of work by going to GoDaddy and buying the domain. You should be able to finish the web and services from here now that all the hard works done".
You can't transfer a domain within 60 days of purchase so I usually end up going live with services there.
GoDaddy has been caught registering domains that users search for on their site. Search to see if wowlolkittenseatingpizzaarecool.com is available. It is available and you dont buy it. Check tomorrow. It is not available but you can buy it drom the owner for $99 instead of $8.
I personally use NameCheap, but my company uses GoDaddy and has since before I got there...and the company we bought? Also uses GoDaddy. In total that is about 2000 domains. Transferring them would cost a lot of money and time and in the end is not worth it to save over the long run.
Potentially getting their DNS redirected would cost even more. (Also there are no "transfer fees" - although maybe GD unscrupulously does that?) So it's only a time consideration.
I use GD simply because their advertising worked. When I registered my first domain I didn't know where else to start and just haven't bothered to transfer to another provider.
I don't think there is a best one but better ones.
Personally I use Gandi when I want to pay a bit more to have a user friendly interface and support. When I just need a domain for myself I use bookmyname because it can't be cheaper and the old interface is fine for me.
If you are already sending your money to Amazon, AWS Route 53 is also a good alternative.
I've been really happy with EasyDNS over the past 10-20 years... definitely not the cheapest registrar but well worth it in my opinion. They offer several pricing plans, but I like the $40/year registration and backup mail spool. If your main MX server goes down, I believe they hold your email on the secondary for up to a week? Cheap insurance at $3/month. Been very happy with support (live person picks up the phone, and generally is an engineer). Web interface is nice, they support standard privacy screen functions for whois, and generally seem to be good people.
My only affiliation with them is as a happy customer.
There's a common list of providers mentioned every time on similar articles. Gandi, namecheap, dnssimple, and a few others. + all the usual cloud providers and CloudFlare.
I see recommendation very regularly here. I use Gandi.net and they are great, but I also regularly see namecheap being recommended (I never used them though, in my book "cheap" means low quality ^^ I'm French and the English word is often used that way :) )
Back when I was a college student, my popular video game wiki's domain [1] was stolen by a former associate of mine while I was overseas.
Godaddy did nothing to help the situation, and the thief had substantial monetary resources and threatened to get me tied up in court. He was ten years older, had an engineering income, and came from a family of lawyers. I was just a college student and felt powerless to do anything about it.
I assume it was social engineering. He had access to the server and database, but was never supposed to have domain name access.
Godaddy sucks.
Also, their founder kills elephants for sport. So there's that too.
Honestly, it seems like this headline pops up at least once per year. I switched to another registrar close to a decade ago because of security concerns.
His nameservers have been set to DigitalOcean servers for well over a year. A GoDaddy rep wouldn't be able to change MX records on those nameservers. They would have to change the nameservers on his domain to GoDaddy servers and then add new MX records. That's more than just a simple MX record change and seems more unlikely to me.
They could change the NS to point to the attacker's server. That one would respond to the MX queries with the new hostname and forward everything else to the original DNS server, ensuring no other differences are noticed.
No, not according to Wasabi’s incident page. It’s pretty funny though to see GoDaddy suspending domains for abuse when they can’t get their own house in order.
Also, who made GoDaddy the content police? I didn’t think domains were that easy to suspend. Is that just a GoDaddy thing?
What registrar do people recommend these days for domain registration that's (more?) secure against domain theft attack vectors? Namecheap? Gandi? MarkMonitor? One of the cloud providers?
I use and like Gandi. If you're worried about social engineering though, I'd probably go Google since they would be the hardest for someone to get ahold of.
I had my domain taken over while on Gandi. Interestingly they didn't do it via customer support, but instead were directly in contact with Gandi's legal department. Their legal guys approved the request/order without thinking to actually verify anything at all. Funnily enough, I had way more trouble getting my domain back than the people who stole it.
As far as I can tell, Google, Cloudflare and Namecheap are really the only guys in town that don't fall for stupid shit.
I've heard of past concerns about some of Gandi's internal procedures and even ignoring that, they've been acquired by a venture capital firm of sorts.
It's a meme, but not exactly true. Google has terrible customer support. And has great security. But the great security actually comes from actually very good policies, and have a fantastic "advanced protection" service for people who are targeted.
I was targeted extensively and purely from social engineering they managed to trick:
A) Apple
B) Amazon (AWS)
C) Gandi
Into handing over my accounts. Companies that stood up fine and were targeted:
MarkMonitor for businesses and large organizations. They have a lot of resources that can work with your legal team if domain legal issues crop up. They also have a legal presence in multiple countries that require you to have a local presence to get their ccTLD. They can super-lock domains so that if someone manages to change the root servers, they can instantly change it back unless a processes that you define is followed.
> They can super-lock domains so that if someone manages to change the root servers, they can instantly change it back unless a processes that you define is followed.
If you're referring to registry lock, that's not exactly how it works. It prevents said changes in the first place rather than merely reverting them; all changes have to go through an enhanced, manually verified, known-human-to-known-human change process. This is what e.g. google.com uses.
I think it boils down to a shitty employee at the end of the day.
If you have someone who decides to cut even 1 corner, it can be devastating to a domain owner.
I have hundreds of clients who have used them, and I've never been on the phone with GoDaddy and had them do any less than tell me to bug off if I don't have a pin or get the 2-factor auth code to verify myself.
Reading the Twitter thread, what's the current best security practices for email addresses? Because I thought getting your own domain was the better thing to do but it seemed in this case using a Gmail address would have been better?
If you want your domain to be safe from compromise via social engineering of the registrar, then use a registrar with a strong security policy. GoDaddy is a mass market registrar with tens of millions of customers for whom security is not their top concern.
Cloudflare offers a security-oriented registrar service that is also extremely affordable. I would recommend using them.
2FA reduces the changes of someone logging into your registrars web interface as you. It does not prevent actual hacking, an inept or malicious employee or someone operating a compromised registrar.
What gave you the impression that coins were stolen? The twitter thread only mentioned that a few people's domains were hijacked, and that the victims all had their emails (and hence domains) exposed in a recent hack/leak of Ledger. It's conceivable that after hijacking a domain, you can gain access to the victim's cryptocurrency exchange account via password reset email and steal coins that way, but most exchange I know require multiple factors (eg. passport scans, phone/sms verification, waiting periods, security questions, etc.) so a hijacked email isn't going to do much.
That's true, but where in my comment does it suggest that keeping coins on an exchange account is a good idea? If you're a bitcoin whale, there's invariably going to be a decent amount of coins worth stealing on an exchange account somewhere. The only reason exchange accounts were brought up is that's the only conceivable way a domain compromise can lead to coins being stolen.
