Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Cloudflare prevents transfer-out of domains, sets to 'pendingdelete'
272 points by unknownaccount on May 31, 2022 | hide | past | favorite | 100 comments
A recent post that has grained traction this afternoon is about a user who’s account was wrongfully terminated by Cloudflare due to false positives, and his inability to get in touch with support through normal channels. As per usual, the Cloudflare PR spin doctors(who monitor HN for any mention of the company name using a script) quickly turned up in the thread and had the users account restored before they got too much bad press for their mistake.

However, the worst part of this fiasco, was that this thread shed light on a far more terrifying issue regarding CloudFlare. The problem is that allegedly when they terminate your account you are unable to transfer-out your domain names. Allegedly, and perhaps far more insidiously, CloudFlare sets them to “pendingdelete” status. Meaning not only can you not transfer out your domain to another registrar, but the domain will expire after a short period of time and can therefore be sniped by an unscrupulous third party.

This post is a warning to the community: DO NOT transfer any domain name to CloudFlare that is valuable or important to you. Because at any time, your account can be terminated for no reason (“false positives”) and you will not be able to transfer your domain to another registrar. You will probably be unable to get them to reinstate your account so that you can transfer-out your domain through the normal support channels because they totally stonewall you("The suspension is permanent and we will not be making changes on our end."). You would either need take them to court to get your domain name(but by then your domain may already be permanently deleted/expired or sniped by a 3rd party) -OR- make a big stink on HN in order to summon someone with actual authority in the company who can remedy the situation.

Relevant thread: https://news.ycombinator.com/item?id=31573854




Frankly, the whole "it's fraud-related so we can't tell you anything nor consider your appeal, because otherwise our adversaries(tm) might take advantage of it" has always seemed like a total sham to me. I've always read that as: "it is inconvenient for us to be accountable." Given how quickly OP's situation turned around, I can't help but wonder if an honest, straightforward explanation would sound absurd. Being forced to produce one might even trigger an agent to rethink an appeal, instead of just saying "Nope, it's fraud, goodbye" - sort of a rubber duck thing. One can dream, I guess.

I know actually engaging with fraudsters is probably a huge time sink, but... I think that probably should just be the cost of doing business. It's definitely not acceptable to delete domain registrations of suspected fraudsters. With no warning.


To really put into perspective how wrong that is, imagine if courts worked that way. "We've found you guilty and sentenced you to death. No, we're not telling you what you were accused of, let alone letting you defend yourself or appeal."


https://en.m.wikipedia.org/wiki/Computers_Don%27t_Argue


Oddly, it’s the plot to Franz Kafka - Der Process!


Sounds like a Cardassian court


"We have a user hostile TOS and more lawyers than you do"


Exactly. It’s basically we are a big corporation we pay for big lawyers so we can f you if we want to.


I always found it a bad excuse as well. There is no reason not to have some sort of due process with these important accounts.


> but by then your domain may already be permanently deleted/expired or sniped by a 3rd party

Or snapped by Cloudflare themselves.

> Cloudflare may, at its discretion, elect to assume the registration and may hold it in its own account, delete it, or sell it to a third party. [1]

[1] https://www.cloudflare.com/domain-registration-agreement/


While I don't want to fully defend Cloudflare's customer-hostile practices here, it's worth noting that the text you quote is only for if a domain expires:

> In the event that Registrant fails to renew the domain name in a timely fashion, the registration will expire and Cloudflare may, at its discretion, elect to assume the registration and may hold it in its own account, delete it, or sell it to a third party.

I mention this because without that context it looks even worse.


I am not sure the context makes it less worse.

If they alter the domain status to pendingdelete, as stated by the OP, the domain is de facto expired.

And the same Domain Registration Agreement gives them the unlimited right, at their sole discretion, to modify the registration of a domain for a number of reasons, for which it seems you have no other recourse than hoping to be on the frontpage of HN even if such decisions were unfounded.


Why wouldn't they pull that as soon as a startup customer becomes successful?


Why would they ever do that? That isn't going to standup in court, you can't just take over another company with a line in your TOS


Why would they? Owning the domain doesn't mean they own a business. They would just kill their own source of income. (And any potential future income from that company)


The inevitable fallout?

I imagine those steps are something they hope to only ever invoke on clearly illegal enterprises.


That specific "we can do whatever" language is only for domains that you didn't renew on time.

They have some separate terms that allow similar things, in specified categories of abuse and related stuff.


Yikes if true.

I moved several valued domains to Cloudflare registrar precisely because I assumed that they'd be better in "rare but extremely unpleasant" domain-loss scenarios, such as account takeover (by a third party) or account suspension/termination (by them).

Contrast with Google domains, where I could never shake a worry that uploading the wrong music in a private YouTube clip could one day randomly cascade to my whole domains account being closed without recourse..


Vouching for Porkbun, which has .com renewals for $9.13/year. The web interface is simple and no-nonsense. I have been using Porkbun for many years for TLDs that Cloudflare Registrar didn't support, and have never had a problem.

https://porkbun.com


I also use porkbun, also because of cloudflare registrar not supporting some TLDs. One thing that really impressed me was porkbuns phone support.

When I transfered in some domains I had some questions about their UI so I gave them a ring, and immediately I was chatting with an extremely competent product engineer.

No phone system to navigate, no filtering through L1/L2 "support", no bullshit. I can't remember the last time I've had such a pleasant experience contacting support for a service.


My favorite feature [1]:

> PASSWORD PROTECTION: Want extra protection on your domain when changing certain features or getting an authorization code? Within the Password Protection section in your domain Details area, you can set a password by selecting the toggle switch "ON." From there you can create a password that will be required to enter when managing certain aspects of the domain.

They also support security keys (WebAuthn) [2]. I’ve used them for 3-4 years and have no complaints. I don’t like the handshake stuff, but you can’t blame them for wanting in on that windfall.

1. https://kb.porkbun.com/article/175-domain-details-area-expla...

2. https://kb.porkbun.com/article/119-how-to-secure-your-accoun...


PorkBun is definitely my go-to choice. I've used Namecheap and Hover previously, but PorkBun has been the best experience overall.

A very no-BS experience.


Namecheap. They do a good job.


I've actually used name heap for years and really liked them. But last year they locked my account for "security" and it took three months to unlock it! It was scary stuff, and their excuse was that because I kept replying to support, it put my ticket at the bottom of their queue... So I jumped on putting some of my domains in Cloudflare, but that looks like a mistake now too. Anyone got any other decent suggestions they like?


I've never had a problem with them, even when doing some relatively complex things. And their support has always been very responsive. I don't know what happened in your situation, obviously, but did you try calling? Or chatting? I assume you did not, so while I sympathize with your painful experience, it sounds like user error.


Yeah, I never had a problem with them for years, until I did... I've never seen phone support, and still don't see a number anywhere on there website. If you have to be logged in to see it... Also, the chat is how you create a ticket. I chatted multiple times and they kept saying it was an escalated issue and only a "higher up" team could handle it and I'd just have to wait for a response. Glad you've never had any issues, good luck with that!


This happened to me with namecheap as well. They banned my domain without any detailed explanation. So I don't trust it.


Would really recommend against them, had some random user report my domains and lost all the domains I had in Namecheap because of it.

Their support basically ignored any evidence to the contrary and let my domains expire and be sniped by other buyers.


I think if you're going to make claims like this you should include supporting evidence.


Sure: https://twitter.com/iammandatory/status/1211796789013159937?...


I'm familiar with how it feels to be at the wrong end of a dispute like this, but I think it's important to tell you that it would strengthen your case if you had shared more information about your attempts to contact them. Did you call? Or initiate a chat? How did it end up resolving? The thread you have only confirms the beginning of the problem, not the middle or the end.

EDIT: my motivation here is to tell you honestly what would strengthen your case. There is no upside for me in this conversation. I'm not affiliated with namecheap or any other registrar, and am merely offering my perspective: as a happy customer, I can be moved by other people's bad experiences, but they must be well documented. If you don't like hearing that, then ignore it.


Considering your replies to other saying the same thing I doubt providing that would change your mind.


So we keep moving goalposts eh?


And they have a good support team. The customer support chat lies that they have "busier than usual" traffic and it's better to open a ticket, but if you ignore that warning you'll get a person in a minute or two - and a helpful person!


Lookup the recent Hacker News history about Namecheap.

It turned out that they are mostly a Ukrainian company, and when the war started the CEO decided to terminate “services to users registered in Russia” with only four work days notice.

I don’t know if any customer account was actually suspended. I also don’t know what “registered in Russia” means, is it nationality, residency, billing address, customer’s IP address or the A record. Some EU clients also received this letter.

I can relate emotionally. But this way to address existing customers, which have paid for their services, is whimsy and unprofessional. I also think that discrimination based on region or nationality is unnecessary broad. It certainly didn’t stop Putin.

Just to be clear, I believe Ukraine needs and deserves all kind of support to win this war.


Namecheap is terrible and will buckle immediately when it comes to false abuse reports and do this exact thing upon receiving them.


Hell no.

- https://news.ycombinator.com/item?id=30506581

- https://news.ycombinator.com/item?id=31577019


And you can still use Cloudflare, Google, or Amazon for DNS if you so choose.


I'd second this approach.


Perhaps, but not in my case. Their service and particularly support is just terrible. Glad I moved out all my assets from there.

To be fair I'd stay away from Cloudflare as well


No. Namecheap sold out years ago.


Cloudflare for DNS, Hover for registrar.


Namesilo. They do a good job.


Cloudflares registrar service is quickly souring years of goodwill I had for the company.

Domain ownership/control is basicly the keys to the kingdom for most businesses and cloudflare should recognize that responsibility and fucking shape up.

Stop treating your registrar like its some side piece product you can use to lock people into your services.


Im not writing this because I want to hurt Cloudflare. Im just explaining my interpretation of the events. Because I wonder about what if it happened to me? I'd be very upset if my domain was snuffed out and I couldnt even appeal. If you have all your businesses accounts and private person email centralized upon your domain, their little "false positive" mistake can utterly wreak havoc on your life. Domains can be the entirety of a person's assets worth tens-hunreds of millions $ USD. It's something they need to be absolutely certain of before they pull the trigger. This is digital assassination.


Over the years we've heard stories of bad registrars but never has one locked you out then set the status to pendingdelete and have terms that allow them to take the domain.

Anyone who trusts them with a domain better hope for a slow news day on hn when you get flagged by mistake.


Always use a separate, dedicated registrar. Never register a domain with a company you have any other business with.


Word. I work at a registrar, and even I only use the company for domain name registration, nothing else.

I mean, I trust the company, and have complete faith in the quality of the products; It’s just a bad idea to depend on company resources for anything in your personal life.


Ugh, I just switched things over to Cloudflare a little while ago. But if this ever happened to me it would destroy my digital life, because like the OP all of my emails go through my custom domain. Time to look into Namecheap I guess.


I highly recommend https://www.gandi.net/


Just a reminder of this from a few years ago. I'd used them before but moved off after this: https://news.ycombinator.com/item?id=22001822


I recently learned that their whois privacy stuff just doesn't do what it says it does, and all the data was just straight up public. I would have suggested them before but no way in hell should anybody use them.


Do you have more details?


I registered a domain with whois privacy turned on, the details (phone number, address, name) simply aren't masked and are visible on public tools. I read through all of the documentation and there's no reason for that to have happened, it's not on an exception list and it's not falling afoul of any of their rules. Not a whole lot else to say there, something is really messed up.


I previously had this problem - their privacy wasn't working on my .it domain. I talked to them and they fixed it quite quickly


Yeah but- damage done already, the data is public forever. It shouldn't have happened.


I'd highly recommend against Namecheap: https://news.ycombinator.com/item?id=31576976


Another thing I read in the comments under that thread is that there are people here trying to advocate CloudFlare to kick other customers out because disapproval of their politics. This sounds dangerous too. I think this has something to do with what CF did in the past.


Companies need to stay the hell out of politics.

Netflix learned that lesson.

It might be tempting to go along with the Zeitgeist but 2 years later, things will flip and you’re going to be caught in the crossfire.


> CloudFlare sets them to “pendingdelete” status

This isn't an action which a registrar is generally able to perform.

Domains naturally transition to the pending delete status at the end of the redemption grace period (i.e. 1 to 2 months after the domain expires, and at least one month after the domain stops resolving).


It sounds like the domain was deleted. that is absolutely an action a registrar can take and you would have a pendingDelete status in addition to a redemptionPeriod status on the domain.

If I had to guess they kill an account and delete any of its domains, which is absolutely the wrong way to go about handling that. The domain is already registered so you move it to a holding an account for further resolution. just because you terminated an account you shouldn’t be deleting a domain.


I strongly suspect that that's not an action a registrar is allowed to perform. Do you have any documentation on what would allow them to do that?


It's technically possible but very uncommon, and using it on an active registration will raise some eyebrows at the registry. I'd almost forgotten it was an option at all.

https://datatracker.ietf.org/doc/html/rfc2832#section-4.3.3


You linked the wrong doc. You want domain delete

https://datatracker.ietf.org/doc/html/rfc5731#section-3.2.2


Quite interesting, but aren't there restrictions on what circumstances they're allowed to delete domains? This section of the doc doesn't seem to speak to that, or maybe it's another doc entirely.


When a domain expires it’s automatically renewed at the registry in the case of gTLD’s.

A registrant then has 30-44 days (depending on the registrar) to “renew” but in fact the domain has already renewed so in what happens is the registrar deletes the domain in the case where they don’t have that affirmative action.


Right but that wouldn't apply here I'd assume, unless we're saying the customer's domain was already expired and they didn't renew it?


It does apply here. A domain does not need to be expired, a delete can be sent any time it’s active. The only prohibition is if the domain has “clientDeleteProhibited” status which the registrar can remove.


I must be missing something. Then why does your previous comment start with "When a domain expires" ?


I was just illustrating the normal circumstance delete is used. But there is no reason a delete can’t be used any time on an active domain.

All I can say is read the rfc or take my word for it, I’ve run a registrar.


I think they are saying that is /why/ the capability exists, but in this case the capability is being used beyond its intended scope.


That's possible, but I'm _pretty_ sure that's not how it works, there are restrictions on what circumstances registrars are allowed to do various actions too.


Pretty much, there have been times I’ve deleted a domain due to compliance/legal type issues. It’s more expedient than waiting for an expiration


As mentioned in the original thread, this happened to me with Namecheap as well. I ended up just bought the domain from Cloudflare again. I think anyone could do it at that point.


I think it's time for fundamental pieces of Internet infrastructure like registrars to be classified and regulated as utilities. Make it as hard to steal someone's domain at it is to shut off their water.


For those looking for registrar options, I've always had good experiences with porkbun.com.

I don't have any affiliation with them, just a happy customer for several years now


I want to believe it's not true. If CF makes a post saying this didnt happen then I'll take this down. As of now, this theory leans on ancedotal evidence. I just want to know the true answer to the question: Have users been banned from their CloudFlare accounts over false-positives? and while their account is in this disabled state is it prevented from domain transfering-out?


Hello,

I’m the Head of Trust & Safety at Cloudflare. I wanted to clarify our processes, which were described inaccurately in this Hacker News post.

As part of our standard fraud review process, domains determined to be malicious registrations/transfers may be deleted. In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate. Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity. Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.


The process wasn't described inaccurately in the OP post. What you said here doesn't contradict anything in the OP post and infact confirms that it happened.

>domains determined to be malicious registrations/transfers may be deleted

The person in the story's domain was determined to be malicious and deleted for fraud. (however in reality it wasn't) and thus deleted, like you said.

>Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity.

This is what the OP post described has happened in the story. The person's domain was determined fraudulent and was thus disallowed from transfering out, like you said.

>Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.

The fact is, a serious mistake was made by Cloudflare and evidently the guy had no way to appeal the decision outside of Hacker News. It is clear that this industry practice needs reform. Perhaps instead of trying to dismiss/downplay this your time would be better spent improving the process or maybe implementing some form of due process/trial for these extremely important accounts. An accidental domain deletion seems to be no big deal to you. But in reality its a nightmare that can cause serious harm to a persons life and livelihood.

Try to imagine it yourself how it would feel. if one day all your important accounts stopped working. all your domains has been hijacked! Why? because your registrar set it to DELETED on short notice due to random false-positive-fraud and a sniper re-registers it elsewhere! there is nothing you can do about it, your registrar stonewalls you. You're completely screwed and theres nothing you can do about it. Your valuable domain is gone. All your important accounts tied to email on that domain get broken into. Your companies and brand are destroyed. No one ever suspects their properly secured domain name will randomly be DELETED in < than the time it was registered for. This is a really traumatic event for people and not something that should be minimized.


The main differences between the post here and your description that I see are a) the post didn't explicitly clarify that this only applies when domains are determined to be malicious, b) the post is less optimistic about your appeals process, and generalizes the recently documented example where the appeals process failed.

However, regarding the core issue (a false positive on the fraud detection can get my domain both deleted and blocked from transfers) the post and your reply seem to be in agreement. (And the "typically take steps..." makes me wonder whether there are cases where you don't even notify the account holder, aside from court orders.)

I get that dealing with fraud at scale is hard, but this (especially the lack of a "why this won't happen again") does not exactly reassure me.


Can you do a post-mortem on what happened there?


> Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.

The problem here is the entire process is opaque. Obviously your process can have false positives, so why should anyone trust the "standard industry practice" is being followed for domain deletion? Plus, IMHO "standard industry practice" is a term that gets dragged out to describe subjective policies and measures that can't be quantified or explained easily.

> In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate.

The thing that's problematic here is "typically". Maybe that's just wording to indicate that it's not always possible, but you always make an attempt (?). If so, say that. For me, the frustrating part is that I don't know the rules, so I can't adequately evaluate the risk of being banned. I can't have a contingency plan either because there are no guarantees. If the OP's story is even close to accurate, I think it's safe to say anything can get you banned due to a false positive and that scares me.

Even if you feel like you can't make the detection systems transparent, which I can understand, it would make a big difference if people could understand what the process is after an account is flagged. Why should I invest in development that targets Cloudflare's platform if I can be banned on a whim without any communication? Why doesn't my side of the deal get any guarantees?

I don't agree with instant blocking of any accounts, even the free ones, but I can understand the free accounts likely create challenges I can't even begin to hypothesize about.

That said, I don't think you're seeing the other side when it comes to instant blocking of services. I've dealt in the small business space a lot and the difficulty there is that a tiny, low priority issue for you, like blocking a small account, can be hugely detrimental to a small business. I've dealt with some small family run businesses where they own short domains that would be instantly squatted on upon deletion and the cost of recovering them would be significant in relation to their annual income.

Personally, I'd like to have some clear rules and guarantees surrounding account termination. Let me set one or more emergency contacts for my account and give me a clear timeline for attempts to reach out to those contacts before taking action on my account. And I'm not talking about some legalese buried on page 20 of the ToS. Put it in the control panel next to my contacts. If you can't give me any guarantees on a free account, that's fine, just say so up front and tell me what I need to do or pay to get to the point where my service won't be terminated by a robot.

I was really, really disappointed to see the OPs situation because I totally bought the mantra of Cloudflare wanting to make the internet a better place and I don't think you're doing that by being another "also ran" in the context of treating your users like they're disposable. Maybe I was just being naïve and overly optimistic because big tech treats everyone so badly that I wanted to believe there was truly someone out their trying to be on the side of the average user / developer.

The most disappointing part is that I think Cloudflare's strategy of targeting underserved markets has the potential to pay off more than people realize. I tried out Pages/Functions with a SvelteKit project (+ adapter) a while ago and it's the first time in years that I've actually been excited about something technology related because I can see the potential it has to give small developers a platform to capture the low end of underserved markets without having to worry about massive cost overruns or the complexity of managing infrastructure where time spent comes at the cost of forgoing something else.

I have a project I'd like to start building this year and I've been contemplating trying to do everything on Cloudflare. Now I'm thinking I should re-evaluate that idea and build it on DigitalOcean or AWS and use Cloudflare as an intelligent cache that's disposable if needed.

Why should I trust Cloudflare any more than I trust the other big tech companies where everyone is at risk of being banned by a robot in an instant?


Why do they think they have the right to kill domains that people have entrusted them with their custodianship? I don't understand why they have to set any domain to pendingDelete status, short of a court order. It sounds like something ripe for abuse. I don't see what the benefit of overzealous deletion is. If they think a domain is malicious they want to stop it they can simply disable it via NS records without actually deleting it for the remainder of the contract payment cycle. People shouldn't have to live in fear that their domain might randomly be deleted with no recourse. Perhaps new legislation is necessary to protect people's domains from random registrar deletion.


This, and the linked thread, is very concerning. I hope that Cloudflare's growth doesn't mean its going down the same route as Google in having hairtrigger automated systems with little or no human oversight or review.

I have important personal domains hosted with CF's registrar. I'm now wondering if I need a fallback plan.

I hope that @jgc is reading these threads and giving them some attention.


DNS is something that would benefit from a real distributed solution . Whether blockchain or based on other sensible technologies, we shouldn't be at the will of unscrupulous companies. It should be 100% distributed like with .bit domains


Wow. Thank you. Will move everything out of Cloudflare as soon as possible.


Why would you even want a party like Cloudflare be holding your domain names? What is the advantage of that?


For one, it’s super cheap and if you use other CF services, it’s convenient.


doctors(who monitor HN for any mention of the company name using a script) quickly turned up in the thread and had the users account restored before they got too much bad press for their mistake

This is why it's an enormous red flag when I see anyone doing customer service in the HN comments. You may as well have a neon sign that says "we only give a shit about the customers who can make trouble for us". When I see a founder fixing someone's problem I can be dead certain that when I become the one with the problem I am SOL.


I do customer support where ever my users/customers are, so I have (several!) alerts for PhotoStructure.

If someone reports a bug or asks a question, whether that be on my forum, my discord, my subreddit, some rando bbs, or HN, I try to jump in and resolve their concern.

Not all companies are twirling their mustaches and cackle nefariously. I just want happy users.


Making an HN submission about a customer service issue is nobody's first course of action. That happens when they believe a company has failed so notably that strangers need to be informed about it.


Okay, calling BS on the absurdity of this comment's framing...

Have you ever called one of those big webhost with 24/7 support (GoDaddy, NameCheap, ScammyxyzabcdefghijkHost.com)?

Their support will have that poor soul on a call for 8 hours and then upsold to 50 business services they didn't need where they were "freaked out" into buying.

Cloudflare is trying to liberate domains (or at least technical folk) from all of that nonsense as an at-cost provider. You are not SOL with buying your domain at Cloudflare or using their services.


I've called in for support with both GoDaddy and Namecheap. Both resolved my issues while on the phone, quickly, with no attempted upsells.


Or read the contract you sign with cloudflare as part of the buying agreement.


The contract doesn't invalidate their obligations as a registrar.

"All ICANN-accredited registrars are required to allow registrants to transfer domain names to another registrar."


If these occurrences are often enough, it puts Cloudflare’s registrar accreditation at risk with ICANN.


The key part of this is “upon request” if you delete their domain beforehand then it gets messy. There is an argument to be made that it shouldn’t have been deleted in the first place.

Now as the registrant you have right to redeem the domain so you could recover via that route. So the domain CAN be saved.


In the recent thread about arbitration, an attorney said something to the effect of: you cannot possibly hope to keep up with a corporation's army of lawyers, actuaries, and even psychologists writing those agreements.

You may not have even originally agreed to said terms, and they were shoved at you in an update which you "can opt out of" by discontinuing your service.


https://www.law.cornell.edu/wex/unconscionability


... and then refuse to do business with them, obviously?


And when you are done reading it, throw it in the trash. Like everything from cloudflare.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: